This is the
JEE standard container-managed security system. There is no application code to handle j_security_check because that code is in the server itself (WebSphere in your case) and is pre-written, pre-debugged and the actual code is not visible nor modifiable by the application programmer.
In fact, most JEE webapp servers implement
security Realms which are a set of plug-compatible authenticators to be used by the server's j_security_check code. Popular ones include
jdbc lookups of userid/password, LDAP lookups, and others. You can usually even write your own, although this is not a "login" function, just a class that contains a method whose arguments are the incoming user ID and password and returns a true/false indication of whether the credentials were valid. Sometimes the Realm implementation may also construct a working-storage object that holds session-related security data (the UserPrincipal), but it never actually "logs you in". Only the webapp server can do that.
You cannot explicitly send people to a page with j_security_check on it. If you do, the webapp server will not be in the proper state to process it as a login. Instead, you set up the web.xml with URL security
patterns and if a user is not logged in but has requested an URL matching one of those patterns, the server will intercept the request and redirect them to the login page. Once the user has successfully logged in, the original request continues. The web application is completely unaware that a login occurred. There's no such thing as a JEE "login event.".
