I am using form-based authentication in a web application which is being deployed on a JBoss 3.2.3 server. I am authenticating against an Oracle database by way of a DatabaseServerLoginModule (JAAS). I would like to save the user's login ID as a session attribute in order to be able to use it later in the application. It's not obvious how you can capture this information and add it to the session, since it seems that the login ID is lost once the authentication is done by j_security_check process. Is there some way to tell the servlet container to save the login ID as a session attribute as part of the j_security_check process (something along the lines of "if the authentication succeeds add the login ID as an attribute to the session") ? Is there another approach ? What is the accepted "best practice" for doing session initialization after authentication ? For example if a user needs to have several attributes set in their session after login -- how is this handled ? I have done this before with a login servlet which did both the authentication and the session initialization, but when using form-based authentication and j_security_check it's not clear to me how you go from the authentication to the initialization logic. Thanks in advance for any suggestions or insight.