So I did more research... and the problem is that people should not go directly TO the login.jsp... but when you use a protected page and get redirected to this action/page, how can you PREVENT people from bookmarking it right then and there? That's what is happening... the login form comes up... people bookmark it. All I can think to do is to have a link saying "bookmark this page" and actually have it bookmark a protected action... what do you think?
Or... is there a way to mask the actual URL so that you can trick the browser? Ugh. This is a little frustrating as apparently a lot of our customers are bookmarking the login page and then when they attempt to use it, login fails.
You can try adding this to your web.xml:
It may ask the user to login again (the behaviour varies between app-server vendors).