I am using JBoss4.04RC1 btw with bundled Tomcat
I am facing the exact same problem, where I am using container-based security and everytime I move from authentication during login to the site which is a HTTPS page to say a normal HTTP page, it kickes me out to the main login page as if I was not authorized to view the HTTP page!!
From what I have read so far, I think some webservers treat the HTTP and HTTPS to be 2 different domains hence 2 completely different requests to the server. If you have got the solution to this problem can you post it up here too?
Thanks in advance,
I 'solved' this by redirecting after a login to a HTTP port, instead of keeping on the HTTPS one. This works, the server auth doesnt complain about that (used with j_scecurity_check). But ofcourse it's kind of ugly, having to redirect just to get rid of this.