can you explain what you meant when you said you "need to use different forms for different roles?".
I ask this because I am trying to figure out if you are using programmatic login to change an already established authentication identity, or to present different interfaces for establishing an initial authentication identity.
I need to think a bit more about the potential relationship between ProgrammaticLogin and SSO, as we are in the process of adding standard login interfaces to Servlet 3.0. I'll add another note to this thread in a day or so.
Ron
ps: while recognizing that ProgrammaticLogin may be the easiest way to do what you want to do, you could also take the path of defining a Server Auth Module (e.g. SAM) for use with your application. The SAM could return different login forms depending on requst characteristics, and your app could remain unencumbered by authentication processing. See:
http://blogs.sun.com/enterprisetechtips/entr/adding_authentication_mechanisms_to_the
if, on successful authentication, the SAM adds a mapping for the key "com.sun.web.RealmAdapter.register" to the map of MessageInfo, then the Glassfish Servlet container will register the results of the authentication with the container's session management subsystem, including the SSO valve (if the valve is configured).
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=300970