We are using form based J2EE security in combination with a custom UsernamePasswordLoginModule. The entire web site is protected.

<login-config>
 <auth-method>FORM</auth-method>
 <realm-name>ASM AD Authentication</realm-name>
 <form-login-config>
 <form-login-page>/login/login.jsp</form-login-page>
 <form-error-page>
 /login/authenticationFailed.jsp
 </form-error-page>
 </form-login-config>
 </login-config>

Here's what is happening now: If a user tries to access a URL for a web app, they are redirected to the login.jsp above which submits to the JBoss j_security_check action. After they are authenticated, they are then redirected to the URL they requested.

The above works fine...if the user is requesting the "start" page for a web app and is authenticating for the first time. However, if they have bookmarked a "non-start page" in the application, or have clicked on a link after their session times out, after they are redirected to the login.jsp, authenticated by JBoss, and then sent to the URL requested, it causes problems because many URL's they are hitting expect objects in session, request, etc, and it's causing null pointer exceptions in our logs.

Here's what we want to do: If an unauthenticated user tries to access a URL that is NOT the "start" page for an application, they are redirected to specific page AFTER they are authenticated, and not the original URL requested which might cause problems.

I hope the above makes sense.