NO <auth-constraint> is the opposite of an EMPTY <auth-constraint/>!
Remember this: if you don’t say which roles are constrained, then NO roles are constrained. But once you DO put in an <auth-constraint>, then ONLY the roles explicitly stated are allowed access (unless you use the wildcard “*” for the <role-name>). If you don’t want ANY role to have access, you MUST put in the <auth-constraint/>, but just leave it empty. This tells the Container, “I am explicitly stating the roles allowed and, by the way, there aren’t any!”