This is a feature of tomcat. Read this long discussion which concludes that
I received a clarification from Yutaka Yoshida (lead for the 2.4 spec) with this clarification:
"In regards to this issue, servlet EG had a consensus that Filter must not be applied for j_security_check. We believe the application component should not be involved in the container-managed security. Although we understand why people are using filter to manipulate the authentication mechanism, it doesn't solve all issues related to the security and must be addressed in a larger scope of the portable authentication mechanism, which I expect to have in the next version of the specification. "
Thanks for the quick reply, however the issue for my webapp isn't that a Filter is not being applied to j_security_check, it's that the Filter is not being applied to the login-form-page (the page that does a POST to j_security_check).
Regardless, it sounds like this is a tomcat issue, and not a JBoss issue, so I'll looking for answers over there.