We need to deprecate FormAuthValve completely. Currently the ExtendedFormAuthenticator does not give an opportunity to populate the session with the username/password if the first attempt at login is successful.

So need to override the "authenticate" method of the FormAuthenticator.

While investigating this issue, I suggest it should be checked whether ExtendedFormAuthenticator can extend the FormAuthenticator that is coming off of the tomcat jars and not the FA that exists in the same package as the EFA.