More info: I think the problem has something to do with the fact that Jetty pushes the previous URI into a session variable called "org.mortbay.jetty.URI", AFTER stripping off the protocol, host and port from the URI it came from.
In other words, there doesn't seem to be any way for the FORM authentication to find out what protocol and port to go back to. I hate to introduce a hack in my application, like actually assembling the correct non-relative URL with a protocol, hostname and port from some properties file--that would make my app much more brittle.
Ugh. Any hints would be greatly appreciated.
It's always fun to answer your own questions:
This was a problem in Jetty. I submitted a patch, and presumably this will come out in Jetty 4.2.9.
Have fun in life!