Move your application from /* to /something/* and then the login html pages won’t start up Vaadin.
Add a mapping for the specific html pages to the html pages. A mapping to those files will be more specific than /* and so will match the html pages rather than the Vaadin app.
(For #2 you might need to play around with it a little; I don’t recall the exact syntax.)
Vaadin wouldn’t work right if a mapping was more specific than '/', the application would simply not load. It only worked if (as in suggestion #1) it was mapped to /xxx/. Give it a try if you are curious, easy to reproduce.
If your application mapping is something else than “/", you also need a mapping (to the same servlet) for "/VAADIN/” - for more information, check
the book or various related forum posts.
I meant it more like this: map /* to your Vaadin application, and map /userauth/* or something similar to the JSP/HTML files you need for form-based authentication. You can protect /* with a security constraint that still allows access to the login form for the j_security_check.
The alternative is to map /foo to your Vaadin app, and as others point out you need to map /VAADIN/* as well. If it will help, I could post an example of form-based auth with Vaadin that keeps Vaadin mapped to /*. I think I can recall how to do that.