You can not mix up things.
Either you use Form Based Authentication (You can design your own login page still and configure, but only one login page per application) or you design your own security and authentication mechanism.
The Access Control to Resources is set using <security-constraint> if your web application is properly organized then you can omit some or all resource from security.(When they are accessed you wont be kicked back to the login page)
Check this link. http://java.dzone.com/articles/understanding-web-security
The main aim behind Form Based Authentication is to check for whether user is active or not when accessing a resource within web application. Previously this was achieved by writing filters and checking for session and roles on access of resource. Now this has been made simple and user need not code for security checks.