I didn't find the above thing to inculde in HFSJ book .
Because you don't need the above thing. I tried your example, settings the users and roles in tomcat-users.xml, and setting the security constraints in web.xml. It works fine. Your problem comes either from your Tomcat installation, or your Eclipse project. This issue out of scope of the SCWCD forum. I will probably move it to a more relevant forum.