+3  A: 

When you do this :

((HttpServletResponse) response).sendRedirect("ExpenseManagementLogin.html");

you're sending the user right to the "ExpenseManagementLogin.html" page which is filtered with ExpenseAuthenticationFilter.

Here is your infinite loop.

As long as the user doesn't have a session it will loop. And as the filter is looping right to itself there won't be any session.
Same thing with your second filter. If a filter does a sendRedirect to a path that need to be filtered by itself. Unless you have some controls (here a session creation), you'll have an infinite loop.

As this filter only works on "ExpenseManagementLogin.html", why do you do this redirection ?

Colin Hebert