According to the servlet spec there are no requirements for the container to store anything else than the request url (and the get params with it) and Tomcat behaves exactly so - it stores the request url and then redirects the user back to it. So the simplest solution is using GET instead of POST. If you must use POST i recommend that you extend your security restrictions to the page which holds the form and perform a check on the destination page for the presence of the form fields. Or you can rewrite the org.apache.tomcat.request.AccessInterceptor to do the storing of POST params for you.
Anyone has an example that solves this problem? I am also having the same problem.