Using JBoss 4.0.4.CR2.

We deploy an EAR with a contained WAR, which declares a FORM based login Security profile refering to a self-made login module derived from the JBoss DatabaseLoginModule.

All works fine at startup. Users can login, roles are checked etc, etc.

However, if I deploy a new version of the EAR (code updates) and press 'Refresh' on the browser I get a '403 Forbidden' status back. If I modify the browser URL and add a '?' to it then press return, I get the login page.

We are using JSF (with Facelets 1.1.4) which POSTs all requests (never does a GET).

My workaround is to redirect the '403' page in Tomcat to a servlet that tests if the request is a POST, if so it redirects to the context root with a GET.

Is there a better solution to this?

Dave