The current tomcat FormAuthenticator calls out to the error/login pages using a forward in the context of the j_security_check request and valves have no ability to see the post login attempt state. An extended form authenticator is needed to have sufficient control over this behavior.