thanks for the plug for jsr 196. As I read the use case, the new HttpServletRequest#login method is likely the best match.
agreed that the available docs and examples for jsr 196 are not what they should be; which I'll try to improve.
You are also correct that the jServlet profile of JSR 196 does not prescribe how a SAM interacts with the session machinery of the encompassing container (which I beleive is what you meant by step 2).
FWIW, this was at least partially left unspeciifed to account for the case where the SAM fully manages authentication session state, which is also the primary reason why the SAM is invoked on every request (even if the target is not protected, or the user is already authenticated)
In Glassfish, a SAM may instruct the container to register the authentication state (with the session machinery), by adding the following flag to the MessageInfo map.
"com.sun.web.RealmAdapter.register"
..and, I intend to enhance the profile, such that it establishes a portable means to *register* authentication state with the session machinery of the encompassing container.
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=385521