Using an AJAX app based on http://www.zkoss.org, redeploy app, refresh page - Tomcat/JAAS/whoever redirects to the last AJAX URL and not the URL in the browser address bar. So the user just sees an empty AJAX response.
One Problem and related Solution
FORM login should allow the servlet generating the login page to define where the user should go after the j_security_check (e.g. http://www.jboss.com/index.html?module=bb&op=viewtopic&t=75386).
Possibly via a j_uri parameter (http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3867187#3867187). Or even better a general mechanism based on a context-param or insisting that all logins goto index.html regardless of browser URL.
This does not solve the original 'bug' but does allow work arounds and allows additional things such as optionally sending the user to a 'disclaimer' page after login.
P.S. I dug around the JBoss code (FormAuthenticator) but there is no simple generic way to grab the SavedRequest in the Coyote session 'note' and changing the URI.