I am attempting to get tomcat to challenge for a username/password pair when reading ANYTHING from a given directory. 
 
To test this, I added a directory called 'secure' in the 'webapps/test' directory.
 
I then modified webapps/test/WEB-INF/web.xml to look like the following:
<web-app>
 
<!-- servlet stuff is here, but snipped for this email -->
       
    <security-role>
        <role-name>tomcat</role-name>
    </security-role>
 
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Test Secure Stuff</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>
 
    <login-config>
        <auth-method>BASIC</auth-method>
        <!-- <form-login-config>
                <form-login-page>logmein.html</form-login-page>
                <form-error-page>denied.html</form-error-page>
            </form-login-config> -->
    </login-config>
</web-app>
 
I want nothing to be available in the secure directory (and below) unless the user is authorised (using the tomcat user found in conf/tomcat-users.xml).
However, when I use the url http://192.168.1.2/test/secure/index.html the flippin' page appears - no questions asked!!  uh?  was-goin-orf?
 
I have read through the servlet 2.2 spec umpteen times (found an inconsistency with the examples) and tomcat seems to cheerfully ignore my settings.
 
What am i doing wrong?
 
FYI, the commented out block was a frustrating attempt at getting form-based authentication - I gave up and am now just trying to get basic authentication going...
 
I am running:
RedHat Linux 6.2
Apache 1.3.12
Tomcat release 3.1
Blackdown JDK 1.2.2 RC4
 
I am now going home to cry.
Ed.