Where these three roles are present in my tomcat-users.xml. No other role is there in tomcat-users.xml.
And I have a JSP restrict.jsp on root. When I access this JSP directly I shouldn't be allowed. As no <role-name> is present in <auth-constraint> means no role is allowed. But I can access this JSP. Why so?