Sorry to answer my own post. I was having a problem getting my head around it. I think I've figured it out, and wanted to post it here in case anyone else was looking for the same information - or in case I'm off-base and someone can correct me.
The <url-pattern> in the <web-resource-collection> under the <security-contraint> element can use file name
patterns (such as *.html) or directory path patterns (such as /foo/bar/*) (to name just two). Because all my HTML files were in the root of the web application, I was limited to specifying either /* or *.html. Both of which applied the security restrictions to all HTML files, not just the one I wanted.
What I did was to move my restricted HTML page to a sub-directory in the web application, named "authorized". Then I created a <url-pattern> entry of:
With this, I'm able to access the other HTML pages in the application without authenticating, but an attempt to access the restricted HTML page results in an authentication challenge.
In reading the documentation, it seems that I should be able to create a <url-pattern> that will be matched exactly, but creating one like:
did not work. I'm not sure why.
Thanks,