I tried this out and it seems to do what I want, so thanks very much. Sorry to take so long to actually use a feature that I requested!
One question though:
In the LoginProxyServlet, you redirect to:
"/login/redirector?token=" + token.getToken() where the token value is the username-timestamp.
Is this token request parameter used later on in the chain? It doesn't seem to affect the behavior of the authentication mechanism or the security valve.
The reason I ask is if it is informational only, I'd suggest removing it. In my case, it stays visible for a second or two while our dashboard loads and it just seems weird to see the username in the URL.
Anyhow, obviously not a big deal provided it isn't a security issue (and I'm pretty sure it is not since I tried doing some basic URL manipulation).
Anyhow, thanks again.