One thing that is not completely clear from your description is wether or not the user has actually authenticated to servlet container. Just because the login form is returned does not neccessarily mean authentication did not happen. To be more specific...
Consider the case when a request is made to login form page direclty. The user fills out the form and submits. If the user authenticated correctly, then the container will redirect user back to originally requested page. Which in this case happens to be the login form.
So I suggest trying one of two things. Either add some temporary code to your login form (jsp) to display something if user is authenticated (i.e. request.getUserPrincipal()). Or create and secure another page (well call it main). Then request main. If user has not authenticated, they should be forwarded to login form. Once authenticated, user should be forwarded back to main.
A million thanks for pointing me in the right direction. I was indeed pointing the container to the login form even when user was authenticated.
I was using sendRedirect () in my error page to go back to the login form. Once I changed that to jsp:forward , things work perfectly.
Don't mess with the form auth setup (do not deal with form login page or error page via redirects etc in your application). Your job is to just configure it in web.xml or change the look and feel of the login/error pages.