We are using form-based auth in our GWT application and I'm currently struggling a lot with session timeout.
If the user is logged in and performs an action that will trigger a request for a static resource AFTER the session has timed out, then the login page is shown and when the user logs in again, then only the image resource is shown to the user. An example is if the user hovers the mouse over a button, and the button need to fetch a icon which is shown on mouse over.
It is logical that this will happen, since the login page was triggered by the request for the image, but it is not really the behavior that we want. It would much better that the user is redirected to the page he was on, or alternatively another page.
How can this be handled in a better way? As I understand it is very difficult to change the redirect url, which j_security_check uses to redirect the user after successful login.
The way I solve it is to only protect the HTML host page with a <security-constraint>. Static resources (images, stylesheets, GWT scripts) aren't protected at all, and AJAX endpoints (GWT-RPC, RequestFactoryServlet, or other endpoints called using AJAX from the app) only check the presence of a user Principal in the request (this can be done in a servlet filter, or a RequestFactory ServiceLayerDecorator), and return an error otherwise (but do not trigger the login page).
You can see an example web.xml here with the code to handle the security in RequestFactory here (and the code to handle the response on the client-side here). For GWT-RPC, you'd probably do that using a servlet filter and a custom RpcRequestBuilder or a base AsyncCallback<?> implementation.