After you've authenticated using FORM auth, the container will redirect to the original (protected) resource that prompted authentication to occur in the first place.
Since you seem to be accessing j_security_check directly, there is no "original" page to which the container could redirect you. This is why we redirect to "/", which causes the welcome page mechanism to kick in. Since you don't seem to have any welcome page configured, the default behaviour is to display a directory listing, which can be disabled by following the instructions in this FAQ:
http://wiki.glassfish.java.net/Wiki.jsp?page=FaqWebAppDisableDirectoryListings
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=255070