Require Login (Form based)

Hi all,
I want to control my website so that all pages require a logged in user, some pages are only visible for certain roles. In the web.xml description there is a remark for the <login-config> element:
If this element is present, the user must be authenticated in order to access any resource that is constrained by a <security-constraint> defined in the Web application. Once authenticated, the user can be authorized to access other resources with access privileges.

one for all pages:
<security-constraint>
<web-resource-collection>
<web-resource-name>all pages</web-resource-name>
<description>desc</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>

one with restriction for roles:
<security-constraint>
<web-resource-collection>
<web-resource-name>role rescricted</web-resource-name>
<description>...</description>
<url-pattern>/control/requirements/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>aRoleName</role-name>
</auth-constraint>
</security-constraint>

my <login-config> element:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/control/Login</form-login-page>
<form-error-page>/control/Login</form-error-page>
</form-login-config>
</login-config>


The role restriction works fine. But also a user who is not logged in, can access the other pages and is not redirected to the login page.

Any ideas??