This is how I'm doing it:
I'm using programatic security instead of the declarative options available with
Tomcat and/or other servers.
When a user logs in, I get some of their user information from the database and put it in a bean (called userBean) and bind that to the user's session.
All the other pages go through a filter that makes sure that a userBean exists in this user's session. If it's missing (null), I forward the user to the login page. Otherwise, the request continues to it's intended destination.
[ January 27, 2005: Message edited by: Ben Souther ]