General design flaw

[twwwt]

The approach implemented here - Java Servlet Filter-based authentication - involves a fundamental problem: it does no longer work once you start specifying <auth-constraint>s in your web.xml. The reason is that the container processes security constraints first, before it processes filters.

(This issue was created to make people aware of that rather than that this issue should be fixed.)

[cerker]

Thanks for pointing this out. If you need finer grained control and are prefer to annotate the code with security constraints, you can use an approach like this. If you want configuration-based access control, you need a different solution. (While I am not sure if there are scenarios where you would use both approaches at the same time.)