I hate replying to my own posts :)
I set up a directory secured under apache using the auth_anon mod. Set the index.html to redirect to a logon.jsp. The logon.jsp looks in the Authorization header (request.getHeader("Authorization")).
If the user has authenticated, this will return something of the form "BASIC jksdhfksdhfkjsdhkfjsdhjkfhsdkjfh" where the rubbish is the Base64 encoded version of "username:password".
The problem with this is that the browser asks for the username and password and remembers it until you close the browser!!!!
If anyone wants any more info please contact me: firstname.lastname@example.org