security-constraint

I am trying to secure a page by allowing only authenticated viewing. But when i apply <security-constraint> in my app's web.xml file...i could not open any file...not even index.html . It shows 404 "not found error". However app runs fine without security constraint but without authentication!

My web.xml file looks like...

<security-constraint>
<web-resource-collection>
<web-resource-name>EmployeeSpecific</web-resource-name>
<url-pattern>/employee/loginTarget.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-contstraint>
<role-name>employee</role-name>
</auth-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>empLogin.html</form-login-page>
<form-error-page>loginError.html</form-error-page>
</form-login-config>

</login-config>

<security-role>
<role-name>employee</role-name>
</security-role>



My app directory is like...

tomcat > webapps > ash > WEB-INF > web.xml
ash > index.html
ash > empLogin.html
ash > employee > loginTarget.html

You've got a typo in one of the tags : auth-contstraint -> auth-constraint

Ohhh...donno how this error crept in here...but its not in my app's web.xml file...

I saw somewhere about...MemoryRealm implementation in tomcat.
however i didnt got that concept of realms but...the article said... to implement user authentication your tomcat > conf > server.xml should have following phrase uncommented....

<Realm className="org.apache.catalina.realm.MemoryRealm" />

However i didnt find anything with MemoryRealm thing!

Please help...i think the problem is smwhere here only!

Check Tomcat's logs. There might be an error at startup.

Thanks a lot...i checked the server logs at startup and found the error.
Was some sematic error in web.xml file

But now i got another mysterious error...
i cannot authorize after bieng autenticated.

I added a custom login form to my app. Also made changes to tomcat-user.xml to add a new role and user/password.
When i enter wrong username /password the error page is displayed but at entering right uid/password i get "403- accesss denied" error. It happens even with "manager" app!

my tomcat-user.xml reads:
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="employee" />
<role rolename="manager"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="Ashish" password="bookworm" roles="employee" />
<user username="root" password="secret" roles="manager"/>
</tomcat-users>


web.xml file is posted above! That contains security-constraints.

another semantic error!

now corrected....