It can be done transparently to the user, but ugly to the developer.
If you've ever tried submitting a login request to j_security_check without first hitting a protected resource, you'll notice it doesn't work. But if you hit the protected resource, you can then submit a request to j_security_check from anywhere, without necessarily using a form on the page that the user would be directed to when hitting a protected resource without being first authenticated.
I did it with javascript like this:
Send an AJAX request to a protected resource. The callback handler for that request then submits a new request to j_security_check including the necessary j_username and j_password credentials. Viola, authenticated, user never saw a thing.
I'm a java guy, but I assume you can do the same in C#. The ugly part is that it requires 2 requests, the first of which acts as a way of triggering the server into waiting for an authentication request, and the second which actually sends the authentication request.
It's a complete hack, but it's transparent to the user unless there's significant network latency.
[Message sent by forum member 'rwillie6' (rwillie6)]
http://forums.java.net/jive/thread.jspa?messageID=246503