This is critical as it risks changing defined APIs and SPIs but we need to cover programatic authentication.

It is however possible this is handled within the app server integration and not within our framework but we have two predominant cases: -

• Servlet calls authenticate which means our mechanisms need to be triggered to challenge the client.
• Servlet calls login with a username and password.