I have a little problem with secured file using jboss - tomcat buddle

I have a secured servlet work this way:

- It purpose it to get offline file and deliver it to user

It first, try to access a bean, then check if the user have the right to access the bean, then if yes then it read the file and deliver it to the user.

however when the file id pdf (thus content-type is "application/pdf") it seem like IE send another request to download the file (I just guess, because it give me no error if the servlet is not secured), which seem to me that the request contain no security stuff, thus it give me an "unable to download" notice.

So, I just want to ask if there is anyway to config so that as long as request is send from one machine which user has login, it pass the security.

Or if what I guess is not the case, can anyone tell me what happen and how to get around this

Regards,