More details will be required. Please post the contents of the web.xml, jboss-web.xml and the url which you are using to access the application. Also please obtain the TRACE level logs of the jboss security package as mentioned in Q4 at:
You do not do "j_securitycheck" directly. You try accessing a resource, the container will redirect to "j_securitycheck" and then you pick this redirect/plug in your userid/passwd and then make a post.