Hi all,
I want to control my website so that all pages require a logged in user, some pages are only visible for certain roles. In the web.xml description there is a remark for the element:
If this element is present, the user must be authenticated in order to access any resource that is constrained by a defined in the Web application. Once authenticated, the user can be authorized to access other resources with access privileges.

one for all pages:

all pages

one with restriction for roles:

role rescricted


my element:



The role restriction works fine. But also a user who is not logged in, can access the other pages and is not redirected to the login page.

Any ideas??