My situation is:

1. I have a servlet which should not be accessible by unauthentified users. This servlet does some business logic and passes some intermediary data to a jsp secret.jsp via RequestDispatcher::forward(). (secret.jsp is just an example, there will be many servlets and/or jsps).

2. There is also a login jsp login.jsp.

3. In front of the servlet sits a filter which should redirect to login.jsp all the requests from unauthentified users. Basically doFilter() looks like:

   HttpServletRequest req = (HttpServletRequest) request;
   HttpServletResponse resp = (HttpServletResponse) response;
   
   if(-1 == req.getRequestURI().indexOf("login.jsp")) {//if page which is not whitelisted
       HttpSession session = req.getSession(false);
       if(null == session) {
           RequestDispatcher rd = req.getServletContext().getRequestDispatcher("/login.jsp");
           rd.forward(request, response);
       }
       else {
           //not whitelisted but already logged in...
           log("we are logged in");
       }
   }
   
   chain.doFilter(request, response);
   

The problems are

1. The forward in the servlet makes the filter be triggered 2*2=4 times (twice, because it goes back and forth, as the request comes in, and as the response is delivered). I would like it to be triggered only once (when the initial request comes in) – or at least only twice.

2. The session is started. I do not want the session to be started until the user hasn’t actually been successfully authenticated (i.e. sending the JSESSIONID cookie to the client).

What is the most elegant way to fix these issues?

I would like not to redirect by sending the browser a Location header, but instead do it internally.

Addendum

secret.jsp:

<%@page contentType="text/html" pageEncoding="UTF-8" import="java.util.*"%>
<%@taglib prefix="tags" uri="/WEB-INF/tlds/tag_library.tld" %>
<tags:wrapper title="hello world">
    hello ${requestScope.msg} 
</tags:wrapper>

which uses the tag in
wrapper.tagf:

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@tag pageEncoding="UTF-8"%>
<%@attribute name="title" required="true" type="java.lang.String" %>
<%@attribute name="menu" type="java.util.HashMap<String, Object>" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <link rel="stylesheet" type="text/css" href="css/reset.css"/>
        <link rel="stylesheet/less" type="text/css" href="css/default.less"/>
        <script src="js/less-1.1.5.min.js" type="text/javascript"></script>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>${pageScope.title}</title>
    </head>
    <body>
        <div id="leftMenu">menu</div>
        <div id="body">
            <jsp:doBody/>
        </div>
    </body>
</html>