I implemented a JSR-196 authentication module.
It seems I need to save the user myself, so I put it in session after successful authentication.
Now, is it a problem with my implementation, or is it the way it is intended? Do I really need to check the session on every request?
I'm using Glassfish 3.1.1
Seems it's intended this way. A jsr-196 module is responsible for those aspects.