If you look at the
Servlet specs, and the explanation of the dtd for the <auth-constraint>,
it is as follows,
The auth-constraint element indicates the user roles that should
be permitted access to this resource collection. The role-name
used here must either correspond to the role-name of one of the
security-role elements defined for this web application,
If no roles are defined, no user is allowed access to the portion of
the web application described by the containing security-constraint.
The container matches role names case sensitively when determining
access.
So in short there has to be some role defined for a secured web-resource, which is
done through <auth-constraint>
The username - password - role are set up in another xml
which is implementation dependent. For
tomcat (I am not sure, but something like) <tomcat-root>\conf\tomcat-users.xml
Try this simple experiment,
Have the following mapping in web.xml
<servlet-mapping>
<servlet-name>Info Servlet</servlet-name>
<url-pattern>/servlet/Info</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Basic-Test</web-resource-name>
<url-pattern>/servlet/Info</url-pattern>
<http-method>Get</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>Basic</auth-method>
<realm-name>neon</realm-name>
<form-login-config>
<form-login-page>/html/FormLogin.html</form-login-page>
<form-error-page>/error/ErrorLogin.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrators</role-name>
</security-role>
Now if you comment out <auth-constraint> then the server gets the message that
all roles are given permission, so this is not a secure resource. So there is no
Authentication required.