I wouldn't even bother. Simply "protect" your landing page, and have the users go there. Make "index.jsp" (or whatever your default starting page is) redirect to the landing page, and you get the same effect.
Basically, train the users to not bookmark the login page. Rather bookmark the landing page, and everything will be peachy.
If you simply MUST have this work, then you can do some chicanery to give the illusion that it's working.
First, implement what I said before: protect the landing page.
Simply put a filter on your application that looks for "login.jsp". If the URL is NOT login.jsp, then throw a token in to the session for the user (if you're not using sessions, this won't work).
Now, on login.jsp, check the session for the token. If it's NOT there, then just redirect to the landing page and let the internal mechanism take over.
What will happen is the filter will see that you're NOT going to "login.jsp" (you're going to the landing page). It will set the token. It will try and access the landing page, but the security will kick in and present the login.jsp. The login.jsp will see the token and continue rendering the page like normal.
Note, you should exempt unprotected resources from your filter.
Basically, it CAN be done. But I don't believe it SHOULD be done. Rather, don't bookmark the login.jsp, instead bookmark the landing page, and everything will work much more painlessly.
As an afterthought I should clarify that I THINK this will work. I don't recall if filters are kicked in before container authentication or not. If they aren't this won't necessarily work.
But it's some food for thought.
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=252307