I think I know what is happening, but this is only what I deduce, not what I know.
The example web-app uses container-managed, FORM-based authentication. That is what this page is for:
http://localhost:8080/examples/jsp/security/protected/login.jsp If you note that the form elements are named j_username and j_password, and also the action is j_security_check.
The action must be j_security_check, so that the container knows "that means forward this request to my internal authorization code, which expects something called j_username and j_password". You can customize login.jsp any other way, but that action and those form field names MUST be used if you want container-managed security to work.
One of the things that the container probably does as an efficiency
test, is checks first if the user making the request is ALREADY logged in. Why authenticate when they've already been authenticated?
Because you just click "back", you are not logged out, so your session continues to be valid. When the container receives your second request (one with a bad password), it sees you are already logged in, and it will "pass off" the request to the web application that is being protected. *THAT* application does not have a resource mapped to j_security_check, and so you get the 404
the solution is to logout with the link provided on index.jsp (the page you see after a successful login).
