Last night I emailed the person that resolved the original bug, and they are discussing forwarding for all cases. It seems that they inherited this interaction from Tomcat, which does a request dispatch for everything. Here is the code that I used to work around the problem.
index.jsp: attached
where the web.xml has:
<security-constraint>
<web-resource-collection>
<web-resource-name>services</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PARTICIPANT_GROUP</role-name>
<role-name>PARTICIPANT_ADMIN_GROUP</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/</form-login-page>
<form-error-page>/login/?login_failed=true</form-error-page>
</form-login-config>
</login-config>
[Message sent by forum member 'lineman78' (lineman78)]
http://forums.java.net/jive/thread.jspa?messageID=357494