This seems to be a fairly common occurrence when dealing with form-based authentication in Tomcat. Heck, Matt even blogged about it a year and a half ago. The error occurs when someone tries to directly access the same resource used by Tomcat to display the login page (e.g., ‘/login.jsp’, ‘/login.do’, etc.).
There are a number of technical solutions about this so I don't think I need to add another. But most of them miss the big picture: the important thing to remember is you should never have a reference to this resource anywhere in your application. The only places it should appear are:
It should appear no place else -- no direct links, no redirects, nothing. The user should never see a URL with the name of your form-login-page in it.
The thing is, this login page isn't a real resource. It's just a tool the container whips out when it needs to find out who you are. This tool doesn't do anything by itself, it's just there to gather some information and move you onto where you actually want to be -- kind of like how it wouldn't make sense to give your credit card to the person at a busy grocery store who directs you to the next-to-open cash register.