Security with tomcat 5.5

[qojote]

Hi,

I am a beginner trying to configure Tomcat and my applikation to use container security.
But i don't get this working.

For testing the app is simple only and there are only 3 Pages.
/finaltest/final.html
/finaltest/index.html
/finaltest/sec.html

Here my web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="

http://java.sun.com/xml/ns/j2ee"

xmlns:xsi="

http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="

http://java.sun.com/xml/ns/j2ee

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<display-name>
finaltest</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>finaltest</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint></auth-constraint>

</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>realm</realm-name>
</login-config>
</web-app>

I thought so there can't anyone access the 3 pages.
But I still can without login access the pages.

Must i configure something more ?
I have searched for an solution in various books but all themes to be ok.

Thanks for any help