BlazeDS Security Custom LoginCommand

I've implemented a own LoginCommand and it works perfectly for all the remote calls from flex. But beside the flex remote objects I'd like to protect some other web resources like html, jsp and swf files so I added a security-constraint with url pattern in the web.xml.

<security-constraint>
    <web-resource-collection>
      <web-resource-name>FlexClient Secure Webapp</web-resource-name>
      <description>Security constraint /secure</description>
      <url-pattern>/main.jsp</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>

    <auth-constraint>
        <description>only authenticated user</description>
        <role-name>flexclient-user</role-name>
    </auth-constraint>          
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp</form-error-pa开发者_Go百科ge>
  </form-login-config>
</login-config> 

<security-role>     
    <role-name>flexclient-user</role-name>
</security-role>

Security configuration in services-config.xml

<security>
    <login-command class="ch.tie.iengine.flex.security.LoginCommand" server="all" >
        <per-client-authentication>false</per-client-authentication>
    </login-command>

    <security-constraint id="trusted">
        <auth-method>Custom</auth-method>
        <roles>
            <role>flexclient-user</role>
        </roles>
    </security-constraint>              
</security>

But even I got once authenticated successfully through remote calls I can not call the other resources. It always forwards me to login.jsp.

Does anyone had a similar issue?