First, note that <auth-constraint> needs a sub-element <role-name> if it is not empty (e.g., <auth-constraint>*</auth-constraint> is not valid in the dd). Typical trip-up question for the exam!
Also, it is important to realize that a security-constraint protects a
url-pattern, not a component. I know this, because it was a gotcha on one of the practice exams in Bridgewater's book, that fooled me.
Try the following example:
Create a web-app with only an index.jsp page (for instance with NetBeans) Overwrite the contents of web.xml with the version below. I am assuming that you have a user ide with role admin and password admin (standard in NetBeans); if you don't have them, create them (in Tomcat: edit tomcat-users.xml). Deploy and run the web-app. You'll get a 403 error Now enter a path of /Backdoor (with the context-path in front, of course, e.g., http://localhost:8084/SecurityTest/Backdoor) If everything goes well, you'll get a pop-up that requests a user name and password (BASIC authentication). Any user that has a role declared in web.xml will do (
if he enters the correct password for his account).
This demonstrates that: 1) The security-constraint protects a url-pattern (because both All-denied and All-access-for-backdoor security constraints essentially protect the same
jsp), 2) that auth-constraint for role-name=* means that all
declared roles have access and 3) auth-constraint without body has precedence over one with body.