I am using Resin2.0. In our Intranet, all the user requests are directed to a servlet which does the authentication and redirects to the respective jsp files.

Stephen McConnell

Actually an excellent design pattern is to create a base class like MyCompanyJSP as an abstract class. All JSP's will extend this class. Then, you can put an abstract

_jspService(request, response)
method in your MyCompanyJSP class.

You should place a "user" mediator in a "request" attribute each time the controller servlet is called that contains the user's authentication. Now, you can create "concrete"

doPost and doGet
methods which do authentication. Unless there is a valid "user" mediator in a "request" attribute and that user mediator validates the users ability to access that page, then the page is not displayed and forwards to a "not authorized" page.

If one just types in the URL, the "user" mediator is not available and the page access is not valid.

This is one way we do this at our shop.