HTTP Status 400 - Invalid direct reference to form login page.
This means that you manually opened <form-login-page>
by a direct request while that's disallowed.
and it's obvious, j_security_check mechanism doesn't know where to "redirect", since I didn't request a protected resource before.
This is not what the error was trying to tell you.
Put the login page in /WEB-INF
folder to prevent possible direct access. Then, to trigger login, just request the restricted resource directly. The container will automatically present the login page if necessary.
Or, if you don't have restricted-only resources (i.e. the login only shows more options/features, like in a discussion forum), then don't use a <form-login-page>
, but instead a JSF form with a backing bean which invokes HttpServletRequest#login()
.