<url-pattern> pattern is *.jsp, now all jsp is restricted access to authorized user only.
I think your index.jsp is at root of web application...
and you have given <http-method>POST</http-method> in <web-resource-collection> tag,
this means POST request only authenticate the user & I think you are calling by typing URL in browser that is GET request.
so you should add GET request support as added above.
Joined: Jul 10, 2008
If you want detail behavior of this you can get it from HFSJ's security chapter....