If one would like to implement Spring Security based authorization on Tomcat Valve level, would there be any obvious problems with that approach? More detailedly, having a Tomcat Valve delegate the Catalina request to the same Spring Security authentication filter chain that usually DelegatingFilterProxy does the delegation to, when SS is applied normally at a web application level. The problems I'm thinking are something along the lines of session management and original request wrapping (there are others too) as Valve environment is not exactly the Servlet container environment. The authentication type is SAML-based SSO (SS SAML2 extension) but I don't know if that makes any difference.
Not sure if any of this makes sense but I guess the point is to have authentication at a lower than web application level, it shouldn't be possible to go past it by deploying a new web app to a different context root etc. Something like JOSSO's SSO Agent Valve (CatalinaSSOValve).