You need to say what resources need authentication.

If this is put in the web.xml, it protects the whole application:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Example Event Application</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>  
    <role-name>eventuser</role-name>
  </auth-constraint>
</security-constraint>