We deploy an EAR with a contained WAR, which declares a FORM based login Security profile refering to a self-made login module derived from the JBoss DatabaseLoginModule.
All works fine at startup. Users can login, roles are checked etc, etc.
However, if I deploy a new version of the EAR (code updates) and press 'Refresh' on the browser I get a '403 Forbidden' status back. If I modify the browser URL and add a '?' to it then press return, I get the login page.
We are using JSF (with Facelets 1.1.4) which POSTs all requests (never does a GET).
My workaround is to redirect the '403' page in Tomcat to a servlet that tests if the request is a POST, if so it redirects to the context root with a GET.