As documented in the <access-denied-handler> element in the documentation's Appendix B, you can set the errorPage attribute to forward to a custom JSP. This could be your login page or whatever else you want. Keep in mind that at this point, the user is already logged in, so forwarding them to the login page (again) may be confusing.

As Raghuram suggested, you can also implement AccessDeniedHandler yourself, but I'd hold off on doing that unless you really need to.

I don't have the info in front of me, but if I remember correctly when you setup spring security you can give it url patterns to apply the security to. It sounds like your setup is including the login page in the patterns that security is applying to. You need to make sure that it is not. Go back to the spring security doco and you should be able to work this out. Also the spring logs are usually very good at helping with this sort of thing.

What you probably need to do is to override the default AccessDeniedHandlerImpl as documented here.