Have you tried with a servlet filter which intercepts the j_security_check call ?
I have tried using a servlet-filter in order to do pre- and post-processing to j_security_check but it didn't work. There are some other people reporting that filtering j_security_check isn't possible.
Also using a custom loginmodule isn't possible because of caching security information (see http://www.jboss.org/index.html?module=bb&op=viewtopic&t=47640).
We have tried the 'redirect' option, and it works with JBoss 4 / Tomcat 5, though we have not tried it with other containers. Again, we do not prefer this option as it encodes the username and password on the URL (though we do SHA1 the password before it is put onto the URL). For now, we can continue with development, and at a later time will try using HttpClient with POST.