where can I see that error has been raised?
There is no error: as you haven't got the <role-name> element inside a <auth-constraint> element, the server takes this as an empty <auth-constraint />, meaning: no one is allowed
It seems Tomcat doesn't mind having text inside the body of the <auth-constraint> element.....
Regards
Frits