Thanks Stephan. In my case, the negotiation should be called in specific cases even when there is an existing subject on the session. But as negotiate is only called when there is no subject (findSubjectOnSession(...)) on the session, there is no way to hook in as doFilter is final.
Consider the following login scenario:
- login either by request parameters that contain username and encrypted password
(e.g. for embedding my application into an existing webapp)
- or by traditional login using basic authentication (login box)
where both login box and parameter login would authenticate against data stored in the same database.
Actually I do not see the reason why doFilter must be final.