We implemented a setup with openSAML2.0 authentication by doing the authentication in a separate servlet, which was set to be allowed access to without authentication in security filter. Then this servlet sets the same type of session attributes as the security filter does, essentially reusing the security filter for authorisation. I guess you could do something similar.
2009-08-09 22:15:15 UTC in SecurityFilter
