Les, We're trying to do a centralized authentication service, in which one machine (one tomcat instance) does authentication and all other machines just redirect all servlet requests to the authentication machine. If a user is not authenticated, he gets the login screen, and on successful login, gets routed from the authentication server back to the URL that he requested on the application machine. So we'd have each application do what the sample webapp does: have a ShiroFilter in web.xml which redirects all URLS to login.jsp. At that point, the WebUtils.saveRequest() call saves a URL, but it saves it on the application machine, not the authentication server. Then, the login.jsp ACTION is to invoke a servlet on the authentication machine, where the WebUtils.getSavedRequest() would NOT retrieve the saved URL, because it was saved back on the application machine.
So it looks like these PassThruAuthenticationFilter and FormAuthenticationFilter filters don't support centralized authentication out-of-the-box. Everything works for me now, but only because I'm running everything on a single machine. Does all that make sense? If so, don't we need to be "saving" the URL by storing it as a hidden field on login.jsp, and setting the user-requested URL as we send the user to login.jsp? Thanks again, Andy p.s. I'm working with Gurpreet, and this is a variation on her recent post to the list.
