Login and set up principal in request and session. This implements
programmatic login for servlets.
Due to a number of bugs in RI the security context is not
shared between web container and ejb container. In order for an
identity established by programmatic login to be known to both
containers, it needs to be set not only in the security context but
also in the current request and, if applicable, the session object.
If a session does not exist this method does not create one.
See bugs 4646134, 4688449 and other referenced bugs for more
background.
Note also that this login does not hook up into SSO.