Posted a patch  to the Nevow tracker regarding guard.SessionWrapper. I leave to those with better knowledge of this to decide if it's good enough for a commit.
The need for the patch comes from that I want to be able to differentiate between incorrect logins and logins denied due to, for example, too many failed attempts. The patch modifies SessionWrapper.ebLoginError to trap LoginFailed instead of UnauthorizedLogin and therefor catches all the subclasses of LoginFailed (including UnauthorizedLogin and LoginDenied). The patch also let's you decide the message that will be appended to the login-failure argument of the URL by taking the text representation of the failure.