FIRSTLY :: your mistake is in line 17 that is "<auth-method>AuthName</auth-method>" .
For your knowledge i would like to tell you that we have four authentication methods available
here you'r using Form based authentication.. so <auth-method> should be "<auth-method>FORM</auth-method>"
SECONDLY :: in <web-resource-collection> you should have a http-method like <http-method>POST</http-method> by which your client can visit your resource. Now, by this only roles inside <auth-constraint> can visit your resource via that above defined http-method. Remaining other roles are blocked to view your resource via this method. like post method in above case..
BUT other roles can view your resource via other http-method. so, better don't override any other methods inside your servlet..
soory, after viewing your question again, i found that i wrote too much..
IGNORE the extra part..
1. I have a custom form authenticator, in which all the *.do requests should pass through(Here i will authenticate or check for authentication). I also have some *.cc requests and these need not to pass through this authenticator.
2. Need to disable or restrict accessing the Http-Methods(HEAD,OPTIONS,TRACE) to all the users for all app root directory(/*).