I get my login.jsp and :-) without j_security_check in the url. And submitting the login page to j_security_check is the correct thing to do, .