My web.xml is listed below. I tested with tomcat 5.0.29 and requested /first.jsp. I was prompted with a login prompt and I entered the password for an account with "admin" role. Unexpectedly, the /first.jsp was displayed!!
My understanding is that this should not had happen because I used <auth-contraint /> in my second <security-contraint>. Could anyone help me to spot any mistake I may have made.