It's something you can't configure in web.xml as it is not part of the standard. For Tomcat (tested on version 6.0.14) you can force users back to index.jsp by adding the next code on top of your login.jsp. It redirects every request that does not have a parameter with the name 'login' in the url to the /index.jsp?login page. Because the redirect does have the 'login' parameter the user will be presented the login page.
It's not a secure solution. If someone requests for a page and adds the login parameter, he will be redirected. So:
/showPerson?id=1234 will redirect to /index.jsp?login
/showPerson?id=1234?login will NOT redirect to /index.jsp?login
The code that goes on top of your login.jsp:
<%
if (request.getParameter("login") == null) {
response.sendRedirect(request.getContextPath() + "/index.jsp?login");
return;
}
%>
Instead of using the 'login' parameter you probably could use a cookie. You can make it more secure by creating a random value for the login parameter (login=randomvalue) and store the value in the session object for comparison.