In my login.jsp, I take the following actions:
check the session for a "beenForwarded" flag
if it is found, immediately remove it
if the flag is set to true:
-display the rest of the login page
-add a flag to the session called "beenForwarded" and set it to true
-call response.sendRedirect(put a restricted page here)
This takes care of the problem of not being able to post directly to your login page (for instance if the user bookmarks it). It also allows you to set the page that newly authenticated users should be directed to.
I've posted the code in another thread called j_security_check but it's taking its time to show up.
Hope this helps,