The reason I suggested trying it out was that I was experimenting with part of this issue only a couple of days ago, and as a result created a mock exam question that covered it. I only got as far as confirming that having a <auth-constraint/> means nobody gets to access the resource. I think that is as far as you need go on this for exam purposes.
I have taken to using the
Tomcat built into Netbeans for most of these purposes, and it has a direct way to launch the Tomcat admin web application that allows you to manipulate users and roles. I'll describe further if you are interested.
Marcus