Hugh,
It looks to me like the initially requested url was protected by an authorization constraint, and that you authenticated as a user that was not a member of a permitted role. If so, you would resolve this by defining or activating an appropriate principal-2-role mapping that maps the user to a permitted role.
if you can paste in your web.xml, and the "initially requested url", I think it will confirm what you are describing.
I don't think the browser is reflecting the revised url, because following login, a forwarding meachnism (as apposed to a redirection) is done to the initially requestd url (which does not involve the browser)
You can define a principal-2-role mapping for your application using Netbeans, or you can activate the default principal to role mapping for the app server, and make your user a member of an authentication group with the same nasme as a one of the roles permitted to access the resource.
you may find the following helpful:
http://docs.sun.com/app/docs/doc/819-3672/6n5sj2sio?a=view#indexterm-261
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=235453