By default the UI only applies a security constraint to /login.do. This allows alternative authentication schemes to easily bypass this URL. The web.xml defines a role - grouper_user which it applies to the auth-constraint thus limiting who can login to those with teh role 'grouper_user'. However, if, after the initial error, a user removes 'login.do' from the url they are able to access the application. This is possible because authentication was successful - a remote user is available - but the UI code does not enforce the role.