The problem happens when using the security example (jsp-examples/security/) in tomcat 5.5. If the user enters their password incorrectly they are redirected to error.jsp which has a link back to login.jsp. If you use this link and login with the correct credentials login.jsp is reloaded. If you try to login a 2nd time with the correct credentials you receive an error "The requested resource (/jsp-examples/security/protected/j_security_check) is not available." The problem is pretty simple. Since login.jsp, index.jsp and error.jsp are all in a secure realm using the link in error.jsp to reach login.jsp triggers authentication which brings up login.jsp as this is specified as <form-login-page> in web.xml. When the user is authenticated they are taken to the page in the realm they requested, which in this case is login.jsp. When they try to login for the 2nd time they get the error because they have already been authenticated and they are trying to load j_security_check (loading index.jsp proves they are logged in). This fixes it: In /jsp-examples/security/protected/error.jsp Change: <a href='<%= response.encodeURL("login.jsp") %>'>again</a>. To: <a href='<%= response.encodeURL("/") %>'>again</a>. Only checked on Windows and Linux, but since Tomcat is doing what it's supposed to do I imagine the example exhibits this behaviour on all platforms.
Typo in the fix In /jsp-examples/security/protected/error.jsp Change: <a href='<%= response.encodeURL("login.jsp") %>'>again</a>. To: <a href='<%= response.encodeURL("index.jsp") %>'>again</a>.
Thanks for the patch. It has been applied to trunk and proposed for 6.0.x and 5.5.x
This has been fixed in 6.0.x and will be included in 6.0.20 onwards.
This has been fixed in 5.5.x and will be included in 5.5.28 onwards. Thanks again for the patch.