I'm attempting to port a working LoginModule from 2.4.4 to 3.0.0 RC1 and have hit upon this rather spurious problem.

Basically a protected web resource is correctly redirecting to the form-based login page but, upon submission, I get the following message:
HTTP 400: Invalid direct reference to form login page

Here are various snippets relating to the login method:

web.xml:
[pre]
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/util/login.jsp</form-login-page>
<form-error-page>/util/login-error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>adminPages</web-resource-name>
Pages visible only to administrators
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
[/pre]

/util/login.jsp:
[pre]

Username:
Password:


[/pre]

I've seen a similar posting on this forum that suggested encoding the form action as follows:
[pre]<%= response.encodeURL("j_security_check") %>[/pre]
This seems to result in some progress as I don't get an error back. However, the login page is shown to the user again after a successful submission (ad infinitum).
My login module reports that it is finding the user and that the user has the correct roles for the site so I'm a bit stumped as to why this isn't working on 3.0.0RC1.

Has anyone got any ideas?!
Thanks in advance.