in order to force authentication you need to associate an auth-constraint with the patterns for which you want the client to authenticate.
<auth-constraint>
<role-name>whatever</role-name>
</auth-constraint>
also it would probably be better not to list specific http-method elements in the web-resource-collection, as in that case all non-listed methods will not be protected.
Ron
<!--
The web-resource-collection element is used to identify a subset
of the resources and HTTP methods on those resources within a web
application to which a security constraint applies. If no HTTP methods
are specified, then the security constraint applies to all HTTP
methods.
Used in: security-constraint
-->
<!ELEMENT web-resource-collection (web-resource-name, description?,
url-pattern*, http-method*)>
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=279993