By default JBoss Portal will display whatever welcome page is configured even if a user is not logged in. This page details what needs to be done in order to force the display of the login page if a user is not logged in if this behavior is desired.
These instructions refer to JBoss Portal 2.0.
The steps are the following:
Edit web.xml in jboss-portal.sar/portal-server.war/WEB-INF
Change the first security constraint from <url-pattern>/auth/</url-pattern> to <url-pattern>/</url-pattern>. This will force the display of the login page mentioned in the <login-config> section of the web.xml (FORM authentication is assumed).
Change the <form-error-page> in the <login-config> section of web.xml to point to an error page that is going to be displayed when authentication fails. Let's say that page is called badlogin.jsp. You would have then <form-error-page>/badlogin.jsp</form-error-page>.
Add a new servlet mapping to web.xml. This should look like:
<servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>/badlogin.jsp</url-pattern> </servlet-mapping>
Edit jboss-portal.sar/portal-server.war/login.jsp and submit the login form to /portal/j_security_check instead of j_security_check. This is not compliant with the servlet specification but it works. You would also have to change this if the root context of the portal is changed (replace portal in the string above with whatever root context you are running your portal under).
More details can be found on this thread in the forums: http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3897840#3897840