How to authenticate all the http requests on the WebNMS server

Yes! We do understand your concern and the method you had suggested (blocking everything and allowing only selective files) is very much possible just with changes in configuration files.
Right now the AuthenticationFilter (configured in WEB-INF/web.xml) authenticates only the access to 'dynamic' files (.jsp, .do files).
This can be extended to authenticate every file (accessed through
http:// ...)

We had changed WEB-INF/web.xml as follows:

1. Instead of AuthenticationFilter filtering only *.jsp & *.do, we had changed it to
/* so that it will filter every file.
2. In excludeAuthentication tag, we had given the entries for jars, files & images which are required for webstart client & web client (to show the login screen).

We had got the modified WEB-INF/web.xml for your reference
To ensure that these changes do not get vanished when the compileJSP script is executed, include the same changes in web-header.xml & web-footer.xml too.

Do not copy the files as such. Better look at the modified lines (which are present in the link) and then change the same in your copy of the file.

Please compare this with your version of 
WEB-INF/web.xml which will give you an idea of what has been changed and how the same can be extended to your files too.

We believe this meets your requirement.
If you face any issues, please get back to us with the modified web.xml file & the log files inside NMS_HOME/apache/tomcat/logs.

This will help us to analyze the issue.