I have come across some security access filters which are using request.getRequestDispatcher(...).forward() and .include() from within the filter. If the user is not authorised, they get forwarded to an error page from within the filter.
Does this seem an acceptable technique to use or should we consider other options such as writing the html page from the filter?
The .include() is being used in one place to call in a servlet that does a bunch of checks and being used for other things too.
The secret to creativity is knowing how to hide your sources.