While using the CVS HEAD version in a project, I had to fix a few things to make SecurityFilter work correctly in corner cases.
This patch does the following:
* The FormAuthenticator can either redirect or forward to the error page, based on the same request parameter as a successful login (default forward-mode)
* DefaultPersistentLoginManager now sets the context path as the generated Cookies path, to allow auto-login in all application pages.
* Fixed remember-me functionality whith a FlexibleRealmInterface. Note that this interface has an added method for this fix.
* DefaultPersistentLoginManager#useIP default value is now false, to prevent problems with clients sharing the same IP via a proxy. You can go back to true via securityfilter-config.xml.
* Refactor DefaultPersistentLoginManager for easier subclassing
* Fixed handling of invalidated HttpSessions
* SecurityFilter now bails out when it can not read its configuration file, instead is silently allowing the application to go on with a non-consistent state.
This version has been in production for a few months now, and has proven stable.
"Make it work" patch against CVS HEAD