Placing your authentication as well as autherization logic in the
Servlet filter could be an option, in case you don't want to use a declarative security provided by a container. You get a looser coupling between a functionality defined by your application. In this scenario, however, you will have to implement the authentication logic yourself; you can also use any of the security frameworks available "out there", e.g. JAAS, Spring Security, you name it.
With regards to the security patterns I would advice you to have a look at book "Core Security Patterns", which describes, for example, the Authentication Enforces (if I am not mistaken) design pattern.
As a result, the possible scenario could be to define a servlet filter, which will delegate to your authentication enforcer, which, in turn, will either perform the authentication itself, by calling a DB for example, or will delegate to a security framework you choose to use, e.g. JAAS.
Hope it helps,
Janis
SCEA 5.0, SCBCD 5.0, SCWCD 1.4, SCJP 5.0
OMG-Certified UML Professional, Intermediate; OMG-Certified UML Professional, Fundamental