I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint>
directive without success. Any ideas?
Besides the auth-constraint you are adding to the security-constraint:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
you need specify the security role in the web-app:
<security-role>
<role-name>*</role-name>
</security-role>