I've defined a security constraint on a page and a form based login in the deployment descriptor. When I try to access the page for the first time, I'm taken to the login page. I give in a correct user and password and end up on the page. That's how I thought it is supposed to work and how it works almost always.
The problem is of course with the almost. Sometimes I get a 403, access denied, without being taken to the login-page. The way I get in again is to redeploy the application without the security constraint and then with the security constraint. Can any one shed some light on this phenomenon?
I would also be really interested if someone could explain the relation between security-roles defined in the application-, web- and ejb-jar dd's.