This should be something that you check independently of any servlets in a filter. That way, you (a) don;t have a bunch of repeated code in each servlet checking authentication, and (b) the filter can make its decision prior to any servlet deciding to emit output (after which the response becomes committed).
I have not used filters before although just had a quick read up on them and it seems like I would put them in the Document Descriptor for all URLs containing /restricted/*
Then what happens whenever someone tries to access one of those files, the request first gets passed through a java file which does all the authentication checking based on the HttpSession data & redirects the user if they are not authorised.
Have I got the gist of that correctly?
Sounds simple enough..... now time to give it a go :-)