The root cause of this is our ajax-based navigation. It seems that when the user clicks back, the
browser attempts to navigate to the j_security_check, which is where the login form was POSTed to.
The problem, it seems, is that the container only recognizes the "magic" URI (j_security_check) for
POSTs. The GET request from the back button, then, looks for a file by that name in the app, which is
not there, currently. I added a file by that name that redirects to / (which should probably be smarter
at some point), but I'm not sure what the security implications of that are. I'll follow up on the mailing
list for more input.