In that case, if you are using that web.xml security role policy things, you might need to find some kind of container provided mechanism to ensure the request object has the user principal and roles populated before the web application is invoked.
That is, one of the realm implementations that come with tomcat (see
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html) so the user is authenticated and roles are populated into the request before your webapp is invoked.
I created my filter as a work around to having to make use of the container provider realms. Where I stuff in the user principle and roles into the request object with this filer, after I have looked them up in my own mechanism. This was suitable for my use as the application also worked with a 'profile manager' outside of a web application container, so I didn't want to get into contain-specific realm configurations.
Though that also likely makes this filter not compatible with standard web.xml realm and security configurations.