There are several ways to authenticate a client:

• use the REST API to authenticate the client (/identity/authenticate or /json/authenticate)
• using the ClientSDK AuthContext API
• sending POST requests to /UI/Login (not necessarily the best way..)

After acquiring the token the only thing you have to make sure of is that you send the session cookie to the protected pages. In case you receive a self-submitting form for JAAS, then that means that you are using the agent in J2EE_POLICY or ALL mode and Java EE declarative security is enabled. Possible solutions for this problem area:

• modify the client so it copes with the JAAS FORM login content (i.e. grab the input values and perform a POST manually), after this possibly you will also have to send the JSESSIONID with all your requests.
• consider removing protection for your servlets in web.xml, that way the container will not attempt to display the JAAS login form, but then this will also mean that you won't have the fancy JAAS integration either (isUserInRole/getRemoteUser/@RolesAllowed/etc)
• move your servlet to a separate application, which can be protected in a different agent filter mode (URL_POLICY/SSO_ONLY), it would be still protected, but again without the JAAS integration..

Basically I can't think of an easy way of leveraging JAAS integration with the use of a heavy client without dealing with form based login.. At one point in time I was able to implement a Java EE application client that authenticated into the container's (agent's) realm using programmatic login and that worked, but I don't suppose your heavy client is actually a Java EE application client..