I think your best option would be to use <security-constraint> tag in web.xml There you can state in what url-patterns and servlets the user must have logged-in before accesing them. And use <login-config> tag to specify the login and login-error page. Check head first servlets & jsp book, it's explained very well in there. I think there's a tutorial at javaranch but I'm not sure.
That doesn't give you much control over the process. I prefer to use a filter.
Although in this case I'm not getting what the OP is trying to do. What's the point of catching the illegal state exception and trying the same thing again? [ August 29, 2008: Message edited by: Bear Bibeault ]