WHETHER OR NOT THE JVM SECURITYMANAGER IS ENABLED DOES NOT DETERMINE WHETHER THE GLASSFISH SERVLET OR EJB CONTAINERS WILL ENFORCE ACCESS CONTROL RESTRICTIONS ON URL-PATTERMS OR EJB METHODS RESPECTIVELY!
please see
http://blogs.sun.com/monzillo/entry/policy_files_the_securitymanager_and
"Independent of whether or not a SecurityManager is enabled in the JRE, The JACC contract requires that the container perform its access control decisions, and that the results of these decisions properly reflect whether the caller is in a permitted role."
If this is a problem it may be with the security-constrint configuration of your app.
Also please note that BASIC AUTH is a bit sneaky. your (at your browser) will only be
prompted once for credentials to access a speciaf application. Usually the collected
credentials are deleteed when you restart your browser, after which you will be prompted to
enter them, the firts time you access a protected resource on the server.
with BASIC auth, ithe browser will silently send credentials to the app.
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=390084