Found the problem... bad assumption...
I had a single role mapped in sun-web.xml. If you have one mapped then "Default Principal To Role Mapping" doesn't work. I thought the one that I had mapped was required for the <auth-constraint> in web.xml.
So in short, it is either "Default Principle To Role Mapping" or <security-role-mapping> never both.
[Message sent by forum member 'drfranknfurter' (drfranknfurter)]
http://forums.java.net/jive/thread.jspa?messageID=295849