Thanks, Craig! > > 1. If user is not logged in or if the session has > > timed out then it should open login page and after > > successful login it should try to access the very > > same request (ie. the same document).
> I don't quite see why you need to modify the standard > form-based login mechanisms, either. Can't you just use > the standard form based login for triggering authentication? No, I did not want to modify standard login mechanism by any means :-). I simply had this (wrong) impression that filters get called before checking security constraints. How stupid of me :-). Creating security constraint like you suggested covered the first step and now I have this filter purring like a kitten. Just in case anybody is interested... this is what I did. doFilter looks like this: public void doFilter ( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequest httpRequest = null; HttpServletResponse httpResponse = null; if( request instanceof HttpServletRequest ) httpRequest = (HttpServletRequest)request; if( response instanceof HttpServletResponse ) httpResponse = (HttpServletResponse)response; boolean authorized = false; String user = httpRequest.getRemoteUser(); // Is this really necessary? Could it be that requests // other than HttpServletRequest are passed to // this filter? Can they be harmful by any means? // Or should I let them through? if( httpRequest == null || httpResponse == null || user == null ){ httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND ); return; } try { // At this point we have user name in 'user' and request URI // in 'requestURI'. Make sure that this user has rights to // get this document and set authorized to true, if (s)he has. authorized = ... } catch( Exception e ){ } if( !authorized ){ httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND ); return; } // Pass control on to the next filter chain.doFilter( request, response ); } with best wishes, Taavi