Filtering requests involving security-constraints

Question

I have a Java web application that uses security-constraints to lock down access to resources. I\'m trying to manipulate the HTTP 401 response when authentication is required fo

Answer 1

First of all, if it is unspecified, this means that it is left as a container's implementation detail.
So you should look into WebSphere specifically.
I think the same would happen in Tomcat as well, since the security constraints (if I recall correctly) are implemented via Valves and so would precede the application code in the request chain.
From my point of view it makes sense, since if you assign the protection to your container, then if the request reaches your filter then it should have already passed your container's authentication mechanism (my point of view is that the filter is part of your resources).
In Tomcat you would solve your problem by replacing the Filter with a Valve