from the servlet 2.3 spec: "In order for the authentication to proceed appropriately, the action of the login
form must always be j_security_check."
if you use an other form action instead, authentication simply does not happen.
this behaviour is the same for all web-containers, e.g. also for tomcat standalone, which has it's own realm implementation and does not make use of jaas.