I ran into a pretty strange issue with CSS links inside the login page, using FORM authentication method. Take a look at this page header :
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Main login page</title> <link href="css/main.css" rel="stylesheet" type="text/css"> </head> <body> --- rest of the page ---
The reason is that CSS file is also secured (it cannot be sent to a client before logging in). Just put CSS to non-secured location. E.g., you can specify two different URL patterns with different security constraints in your web.xml.