When the HstFilter in the web.xml is
instead of normally
then, in case of a JAAS login behind a proxy, the login fails and ends with a URL /site/login/resource
The reason is that the internal container security constraint on /login/resource forwards the request, but now the HstFilter listens to FORWARDS as well, and in the HstDelegateeFilterBean, this triggers a response with a redirect. After this redirect, again a redirect happens triggering j_security_check, which triggers a redirect to a URL starting with /site (also behind a proxy) that is not followed any more by another redirect.
The solution is, that the HstFilter should do chain.doFilter on requests that are a security request and that happen to be a forward.