In glassfish we don't always forward to the login page, because we want to be able to enforce user-data-constraints on the login page, and in Servlet, constraints are not enforced on forwards.
We only forward to the login page when the initial request is already "secure" wrt to its transport. In that case, I believe you will find the attribute value set.
if wherever you have an auth-constraint you include a user-data-constraint, I think you will be able to find the attrinbute set, but I realize that may not be acceptible.
without the above workaround, maybe the info you seek is available in the session.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=268817