Tomcat SecurityFilter and Authorization

I've implemented a simple filter that simply adds two Principles to the current session (see doFilter below). My problem is that this is firing when i request a resource but then I'm never able to see the resource becasue the FORM based login screen pops up. I'm attempting to get around the form based login with this particular filter (eventually using a quick-to-expire token) though nothing seems to seem to allow me to do this.

public void doFilter(ServletRequest request, ServletResponse response,
       FilterChain chain) throws IOException, ServletException {
  HttpServletRequest httprequest = (HttpServletRequest)request;
  HttpServletResponse httpresponse = (HttpServletResponse)response;
  HttpSession session = httprequest.getSession(true);
  Subject subject = (Subject)session.getAttribute("javax.security.auth.subject");

  if (subject == null){
开发者_StackOverflow中文版   subject = new Subject();
   PlainUserPrincipal user = new PlainUserPrincipal("admin");
            PlainRolePrincipal role = new PlainRolePrincipal("admin");
   subject.getPrincipals().add(user);
   subject.getPrincipals().add(role);
  }

  chain.doFilter(httprequest, httpresponse);
 }

Due to security reasons you can't map servlets/filters on an URL pattern of /j_security_check when running Tomcat. The symptoms indicate that you're doing this. I say specifically Tomcat, because I've seen cases that it works on other (specific) container makes/versions. But you don't want to be dependent on that.

Rather filter on /*, or at least the same URL pattern as your security constraint, and intercept on the presence of the user principal and the absence of the session object.

if (request.getUserPrincipal() != null && session.getAttribute("subject") == null) {
    Subject subject = new Subject();
    // ...
    session.setAttribute("subject", subject);
}

chain.doFilter(request, response);