I have simple test app. that secures a subdirectory. If I navigate to that directory directly in the browser, I'm redirected to login form as expected. However if I forward to a page in the secure directory from an unsecured page using <jsp:forward>, it displays the secured page without forcing a login. Is this the expected behavior? Thx.