Welcome to the JavaRanch, Antal!
J2EE container security doesn't work quite like that, and neither do Tomcat URLs. In Tomcat, the "application" part of the URL is properly known as the application
context. Since a Tomcat server can host multiple applications, that part of the URL tells Tomcat which application to route requests to.
The only way to avoid having the "application" in the URL, is to deploy the webapp under the Root context, which has the "application" of "/". However, that would be a separate application from an application deployed under a context such as "myappname", and since 2 applications cannot communicate directly, having a login page under the root context wouldn't help the "myappname" context.
That's part of your problem.
The other part is your login page. In J2EE, you cannot route to the login and loginfail pages directly. Those pages are not processed in the usual way by the webapp, so attempting to specify "j_security_check" on a user-submitted page will fail.
What actually happens is that if Tomcat sees a request for a secured URL, it will sideline that request, look in the web.xml for the login page location, and send back the login page to the user. The user then submits the form on that page and Tomcat itself (NOT the application) processes the j_security_check. The application never actually sees the login happen.
If you want some really down-and-dirty details on how the whole process works, look back in this forum to about the middle of last week and you'll find a
thread where I outlined the process more completely.