tomcat 5.5.16 has implemented a strict semantic of the role-name=* behavior that requires one or more valid roles in order for access to be permitted. There is no notion of authentication only security constraints. We should add a jboss-web.xml flag:

<jboss-web>
<security-domain authenticationOnlyAllRolesMode="true">...</security-domain>
...

authenticationOnlyAllRolesMode = true if the all roles role-name of "*" is specified, and any authenticated user should be allowed access. A false setting defaults to restricting the allowed roles to those specified via security-role/role-name values. The tomcat service should also have an equivalent flag to set the default behavior for all web apps.