At last I managed to work around the "Invalid direct reference to form login page" problem I had in my web applications using Apache Tomcat 4.x running from within JBoss. Whenever you use form based authentication with the <login-config> defined in the web.xml deployment descriptor tomcat has an obscure bug which triggers if a user tries to access the system through the login page directly eg. http://www.mysite.com/login.jsp. After the user logs in through the login page the error "Invalid direct reference to form login page" message is displayed. This problem gets very irritating because users tend to bookmark the web application through their login page making the error crop up each time they try to enter the system. With the level of computer literate user's we've got in the company changing the favourite link in their browser could easily be the most difficult chore they have to do in a month.

The solution that worked for me was to include this JSP code snippet in the login page of the web application. You need to replace the roleSelection.jsp with the first page in the web application that requires authorisation.

if (session.isNew()) {
response.sendRedirect("roleSelection.jsp");
return;
}

There were some programmers who didn't solve the problem with this code so it might be wise to check the following references for more information.
Bugzilla Bug Nr. 3839
Bugzilla Bug Nr. 8976
Java Thread at java.sun.com