You need to say what resources need authentication.
If this is put in the web.xml, it protects the whole application:
<security-constraint> <web-resource-collection> <web-resource-name>Example Event Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>eventuser</role-name> </auth-constraint> </security-constraint>