Never mind. I wrote some code to dump all the request attributes and headers and found it: javax.servlet.forward.request_uri javax.servlet.forward.context_path javax.servlet.forward.servlet.path I now see the problem. My site is secured on roles that correspond to directories. If the user just bookmarks my login.jsp or login.html page, I would have to have a way to know what their role is even if I could alter these request attributes. The real solution will be to dump them to an intermediate page that makes them click on a link appropriate from their role. Then the container should have no problems. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959365#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...