1. You are aware, I hope, that when using the J2EE container security login that the user does NOT request the login page as an explicit URL. It's presented automatically when a secured URL request is made and has no URL of its own. In other words: "http://www.myserver.com:8080/faces/Login.jsf" will not function as a valid request.
My login pages are generally stark html or vanilla JSPs
Have you checked that the query returns back the correct role(s) and it satisfies the role requirement noted in the web.xml for that resource?
FINE: Domain that failed(ProtectionDomain (file:/UserAdmin2/UserAdmin2 <no signer certificates>)
There are 2 messages in your log that bear investigating:
FINE: [Web-Security] Checking Web Permission with Principals : null
I can neither get more information on these errors from the stack trace nor Am I finding much online. I have set the logging to FINEST so isn't this the most granular level of logging?