validateRequest *should* be called under HttpServletRequest.authenticate; but that has not yet been made explicit in the Servlet Profile of JSR 196 (and will be the subject of the next MR to the spec). ValidateRequest should not be called under HttpServletRequest.login mostly because login presumes a user name/password authentication mechanism (which may not be compatible with the configured auth context). it might be worth considering having login use the callback handler to handle a passwordValidationCallback (if jsr 196 is configured for the app), in which case the login impl login would need access to the same callback handler that was passed to the 196 auth context configured for the app. I will think about how that might be possible, but at this time, the main integration point for jsr 196 and programmatic login should be authenticate (not login).