> ... since I made a direct request to the login page
> (sort of).

Just don't. Direct the user to his personal menu page, and let Jetty decide whether the user has to login first. This is how web/servlet security is designed: when a user requests a secure page, he is first authenticated by the servlet container and than redirected _automatically_ to the page he originally requested.

Hth,
Peter.

The answer above is the correct answer. However if you are backed in a corner I have a couple workarounds.

If you referene the login page directly (like if a user bookmarks it which is unpreventable by us poor developers) an error of type 400. (note that I'm using struts, hence the *.do in my paths, feel free to subtitute a servlet...)

So you could put a handler in web.xml like this:
<error-page>
<error-code>400</error-code>
/error.do
</error-page>

Now when that error occurs a request for /error.do will result. I then run code like this:

if( null == request.getSession( false ) )
{
// redirect to the context root
return mapping.findForward("login");
}
else
{
// redirect to welcome page
return mapping.findForward("home");
}

The result is that if the user references the login page directly and logs in, but error 400 is thrown, they end up being redirect to the welcome page anyway and it looks like they logged in correctly.

I have another trick if this doesn't work but it involves setting state in the session and using a jsp login page to check for the path that was used to arrive at the home page. But I think the error 400 trick works in almost all cases.

I hope the J2EE purists don't stone me for this.
-Jasen