The Web Server is not involved in how the login information (user name and password) is obtained by the deployed application. The application developer must ensure that the resulting system meets security requirements. If the application code reads the authentication information across the network, the application must to determine whether to trust the user.
Programmatic login enables the application developer to bypass the Web Server-supported authentication mechanisms and feed authentication data directly to the security service. While flexible, this capability should not be used without some understanding of security issues.
Because this mechanism bypasses the container-managed authentication process and sequence, the application developer must be very careful in making sure that authentication is established before accessing any restricted resources or methods. The application developer must also verify the status of the login attempt and to alter the behavior of the application accordingly.
The programmatic login state does not necessarily persist in sessions or participate in single sign-on.
Lazy authentication is not supported for programmatic login. If an access check is reached and the deployed application has not properly authenticated using the programmatic login method, access is denied immediately and the application might fail if not properly coded to account for this occurrence.