login manually using LoginContext is not stored on the session for a security constraint

Hi,

I have a custom login module:

package com.tomcat.test.security;

import java.io.IOException;
import java.util.Map;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

public class CustomLoginModule implements LoginModule
{
	/** call back handler to store between initialization and authentication. */
	private CallbackHandler handler;
	
	/** Subject to store. */
	private Subject subject;
	
	private Long userId;
	
	private String userName;
	
	public boolean abort() throws LoginException
	{
		return false;
	}

/**
     * This is where, should the entire authentication process succeeds,
     * principal would be set.
     *
     * @see javax.security.auth.spi.LoginModule#commit()
     */
	public boolean commit() throws LoginException
	{
		try
		{
			CustomPrincipal user = new CustomPrincipal( userId, userName );
			CustomRolePrincipal role = new CustomRolePrincipal( "admin" );
			
			subject.getPrincipals().add( user );
			subject.getPrincipals().add( role );
			
			return true;
		}
		catch (Exception e)
		{
			throw new LoginException( e.getMessage() );
		}
	}

@SuppressWarnings("unchecked")
	public void initialize(Subject aSubject, CallbackHandler aCallbackHandler, Map aSharedState, Map aOptions)
	{
		this.subject = aSubject;
		this.handler = aCallbackHandler;
	}

public boolean login() throws LoginException
	{
		Callback[] callbacks = new Callback[2];
		callbacks[0] = new NameCallback( "login" );
		callbacks[1] = new PasswordCallback( "password", true );
		
		try
		{
			handler.handle( callbacks );
			
			String name = ((NameCallback) callbacks[0]).getName();
			String password = String.valueOf(((PasswordCallback) callbacks[1]).getPassword());
			
			if ( ! name.equals( "avitale" ) && ! password.equals( "password" ) ) 
			{
				throw new LoginException("Authentication failed");
			}
			
			userId = 0L;
			userName = name;
			
			return true;
		}
		catch (IOException e)
		{
			throw new LoginException( e.getMessage() );
		}
		catch (UnsupportedCallbackException e)
		{
			throw new LoginException( e.getMessage() );
		}
	}

public boolean logout() throws LoginException
	{
		try
		{
			CustomPrincipal user = new CustomPrincipal( userId, userName );
			CustomRolePrincipal role = new CustomRolePrincipal( "admin" );
			
			subject.getPrincipals().remove( user );
			subject.getPrincipals().remove( role );
			
			return true;
		}
		catch (Exception e)
		{
			throw new LoginException( e.getMessage() );
		}
	}

}

I have a jaas.login:
TomcatTest {
com.tomcat.test.security.CustomLoginModule required debug=true;
};

In my web.xml I have:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TomcatTest</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

When I go to a URL /secured/secured.html I get the login popup and everything works well.

I tried to implement a different servlet (not secured) and perform a manual login:

And I also created the CustomCallbackHandler:

package com.tomcat.test.security;

import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;

public class CustomCallbackHandler implements CallbackHandler
{
	private String name;
	
	private String password;
	
	public CustomCallbackHandler(String name, String password)
	{
		this.name = name;
		this.password = password;
	}
	
	public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
	{
		System.out.println("Callback Handler - handle called");
		
		for ( int i = 0 ; i < callbacks.length ; i++ )
		{
			if ( callbacks[i] instanceof NameCallback )
			{
				NameCallback nameCallback = ( NameCallback ) callbacks[i];
				nameCallback.setName( name );
			}
			else if ( callbacks[i] instanceof PasswordCallback )
			{
				PasswordCallback passwordCallback = ( PasswordCallback ) callbacks[i];
				passwordCallback.setPassword( password.toCharArray() );
			}
			else
			{
				throw new UnsupportedCallbackException( callbacks[i], "The submitted Callback is unsupported" );
			}
		}
	}
}

In the LoginServlet the login is successfull, but when from the same browser I go to /secured/secured.html I still get the login popup from the browser.
It seems that the session does not 'remember' the manual login.

Can someone please tell me what I am doing wrong? I don't know what else to do

Thank you very much for your assistance.