The special role name “*” is a shorthand for all role names defined in the deployment descriptor. And looks like you have not defined any roles in the deployment descriptor other than trying to use the "*".
Also the way to allow all authenticated users access is to do the following :
1. Define a single role X in web.xml and use that in the auth-constraint
2. Add an assign-groups property to the realm configuration that assigns let's say group X to all authenticated users
3. define a trivial mapping of group (X) -> to role (X) in sun-web.xml OR alternatively activate default Principal-to-Role-Mapping via Admin-Gui.
[Message sent by forum member 'kumarjayanti' ]
http://forums.java.net/jive/thread.jspa?messageID=373598