For reference, this is the environment:
JBoss AS 4.3.0.GA
Postgres Plus 8.3
Windows XP (Dev Machines) / Red Hat Enterprise Linux Server release 5.2 (Prod)
This is a valid bug. The CAS SecuredURLPattern needs to filter /sec from its list.
This fix should be available in the next release. Until then, you can override the getSecuredURLPatterns method on the Valve with this filtering
Excellent, that did the trick.