Java Authentication with tomcat relies on realms. If you access a page protected by that realm you get directed to the login page. However, it is possible to go directly to the login page ( this can happen when users bookmark the login page inadvertantly ).
This happens in two scenarios: 1) The user is already logged in. 2) The user is not logged in. If you authenticate yourself once you have gone directly to the login page, you get a "invalid direct reference" error. Fair enough, the login page is trying to redirect to itself. Now, I tried to workaround this by checking if the session is null, and if it is, redirecting to some protected page, eg. protected/index.jsp. No luck. It seems that a session is implicitly created, and a new session id gets created. So I've tried a cookie strategy: <% if ( request.getCookies()==null ) { response.sendRedirect("/xxxx/jsp/protected/index.jsp"); } if ( request.getRemoteUser()!=null ) { response.sendRedirect("/xxxxx/jsp/protected/index.jsp"); } %> i.e, we wont have a cookie if we've gone directly to the login page. But we will have if we've tried to access a protected page and then we've been forwarded to a login page, tomcat will give us a cookie. Now if we're already logged in ( which we check with getRemoteUser() , then we just forward to user to an index page. This seems o.k. However my index page actually includes my login page! I'm planning to get around this with some logic that only includes the login page excerpt if we are not logged in...... Ben