Hi, Pradyut
As you've doubtless gathered the request.getUserPrincipal() method will return null if you're not authenticated. Since the page you want to start at is not under a security constraint it will not initiate a container-based authentication mechanism.
What you could do is what tens of thousands (hundreds of thousands???) of developers already have done, which is to do a programmatic login in a backing bean for the index.jsp page. Your index.jsp simply gathers the username and password, and calls *your* login method (so no use of j_username, j_password, j_security_check). On success your login method does the redirection.
All J2EE application servers use different APIs for programmatic login, so you'll want to find the documentation specific to your server.
NOTE: a lot of JSF developers do this because they wish to use JSF components for the login and login error pages, and if you use those then it's not possible to use standard container-managed FORM authentication (unless you use Tomahawk-style "forceId" attributes on j_username/j_password). That's because the JSF component IDs get modified (e.g. "mainform:j_username"). You _can_ use JSF pages for your login pages with container-managed auth, but the form itself needs to be straight HTML.
[Message sent by forum member 'arveds' (arveds)]
http://forums.java.net/jive/thread.jspa?messageID=324514