I am attempting to get tomcat to challenge for a username/password pair when reading ANYTHING from a given directory. 
To test this, I added a directory called 'secure' in the 'webapps/test' directory.
I then modified webapps/test/WEB-INF/web.xml to look like the following:
<!-- servlet stuff is here, but snipped for this email -->
            <web-resource-name>Test Secure Stuff</web-resource-name>
        <!-- <form-login-config>
            </form-login-config> -->
I want nothing to be available in the secure directory (and below) unless the user is authorised (using the tomcat user found in conf/tomcat-users.xml).
However, when I use the url the flippin' page appears - no questions asked!!  uh?  was-goin-orf?
I have read through the servlet 2.2 spec umpteen times (found an inconsistency with the examples) and tomcat seems to cheerfully ignore my settings.
What am i doing wrong?
FYI, the commented out block was a frustrating attempt at getting form-based authentication - I gave up and am now just trying to get basic authentication going...
I am running:
RedHat Linux 6.2
Apache 1.3.12
Tomcat release 3.1
Blackdown JDK 1.2.2 RC4
I am now going home to cry.