Avoid login (JAAS) every time I change path (and it generates a new session)

I've configured my Java EE app to use declarative security with JAAS (I've even implemented a custom LoginModule). The problem is that every time I change the url path (e.g. from http://mysite/restricted to http://mysite/restricted/configs), the system asks me to login again!!!!

After searching a little I found out that a new Session is being created every time I change the directory (there are cookies for each path). So I guess that the authentication is done for the开发者_如何学运维 session (seems obvious). But... how do I solve this? I need subdirectories to apply security by linking them with roles (role X can access /restricted/some-function/*). Also, I need that some roles (e.g. Manager) have access to all subdirectories without needing to login everytime.

What am I missing?

You should set the path of your cookies to /.

For Tomcat: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html (Search for sessionCookiePath.)