context.getSession().removeAttribute("webauth.failedUser");
if (username != null && password != null && username.length() > 0) {
citizen = realm.getCitizen(username);
context.log().info("username: '"+username+"' citizen: "+citizen);
if (citizen != null && citizen.verifyCredentials(password)) {
context.setCitizen(citizen);
context.log().info("web: authentication ok");
if (context.getOriginalPathinfo().equals(loginPath)) {
throw new RedirectException(context.getSession().getId(), forwardPath);