Just want to clarify some things,
in web.xml there is a <form-login-page> element as well as <form-error-page> in <form-login-config> section. I'm wondering, what is the standard behaiviour (by the spec or what ever) in case the login suceeds, what page does it suppose to go?
In case I was accessing protected resource, after successfull authentication it returns back to the resource (protected) that was requested.
In case I went directly to login page (so that all protected resources become available by default), I always get redirected to the form-error-page.
What would be a work aroud?
in my experience you cannot reference the login page directly, thats probably your problem. the login page can only be a side effect of accessing secured resources without being authenticated.
here is the sopution offered by Christian Kubczak:
A good solution would be the use of a welcome page such as index.jsp or
index.html. This page should have protected access to _all_ users so that
there is a guarantee that the login is called for each user. Then you don't
have to call the login page directly what causes your error. Instead you
call the index site, automatically calling the login redirecting to it.
That's how I solved this problem myself in a project, btw...