Please also secure the basic authentication (when not AD/NTLM is selected in the catalog).
One possible solution would be to redirect the user to the login page and then redirect the user to the original URL the user tried to access. If a session token already is valid a redirect would not be needed.
1) User access http://hostname/usm/FileStore/images/offerings/image.jpg
2) No valid session ID (JSESSIONID) is found.
3) Redirect user to loginpage for the Service Catalog but remember the originating URL. There are webscripts for that function.
4) The user login and then gets redirected to the origin/requested URL.