The Problem is only with the <security-constraint> that grants Access to all Resources /*. Named: "AuthenticatedAccess"
But what it actually does it denys access to all resources located directly in the root directory. I can still access all resources in subdirectorys, which I find kind of odd...
Any Ideas why that could be the case?
Edit: The authorization seems to work, if i try to login with an invalid user I get forwarded to my error page. If i login with a user that is linked to the security-constraint "AuthenticatedAccess" i get a HTTP 403 access denied.
Edit2: Adding all Pages under the root-directory manually to the url-patterns worked. But I still dont understand the Problem. It worked until I added the second security-constraint.
I think it would be a good idea to grab a copy of the J2EE specification document from oracle.com and read up on the rules for security constraints. The spec should indicate precisely how URL patterns that are more generic than similar patterns are considered and what happens if a URL matches more that one pattern (or the pattern occurs twice).
Customer surveys are for companies who didn't pay proper attention to begin with.