Do you get the same behavior under Tomcat and Jetty?
I haven't tried Tomcat but isn't Jboss using Jetty by default. I suspect this is a Servlet specification problem, but I am not sure.
How would the container know where to go when j_security_check is called?
Yes default is Jetty for now. However I've seen the same kind of issues with Jetty security but haven't tested with Tomcat yet either. I'll be upgrading to Tomcat soon just to see if the security would work better. If you find out anything on the Tomcat side I'd be curious to know.
It's the same thing with Tomcat.
I use the same solution proposed.
Now how do you prevent people from bookmarking the login page? By clicking on their bookmark, they end up at the login page with no current context.