The JAAS login module is not called, resp is only called with cleared cache.
If the URL received in com.liferay.ext.portlet.login.action.LoginAction contains the language like /en/c/portal/protected or /de/c/portal/protected
then the configured JAAS login module is not called. It is only called on /c/portal/protected. The language usually comes from browser cache.
With the language in the URL the user is logged in successfully but without JAAS authentication.
Manually entering the URL http://localhost:8080/c/portal/protected then forces the JAAS authentication.