Error during FORM auth in Tomcat

I want to make authentication controled by Tomcat. To test it I created to simple pages, login page and loginError page.

Authentication seemed to work. When I enter wrong login or password I see loginError page. But when I enter 开发者_JS百科correct login and password I see:

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

Here is my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/protected.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
</web-app>

Here is my tomcat-users.xml

<tomcat-users>

  <role rolename="tomcat"/>
    <role rolename="admin"/>
    <role rolename="manager"/>
    <user password="tomcat" roles="tomcat,manager,admin" username="tomcat"/>
    <user password="proger" roles="tomcat" username="proger"/>
</tomcat-users>

My login.jsp looks like:

<html>
    <body>
        <form id="loginForm" method="post" action="j_security_check">
            <p>
                Username: <input type="text" name="j_username" id="j_username" />
                <br/>
                Password: <input type="password" name="j_password" id="j_password" />
                <br/>
                <button type="submit">login</button>
            </p>
        </form>
    </body>
</html>

I deploy it I use NetBeans 6.9.1. I use Tomcat 6.0.29. What can be wrong? Thank you in advance.

Using

   <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>

requires that you also define 'valid' roles

<security-role>
      <role-name>admin</role-name>
</security-role>
<security-role>
     <role-name>user</role-name>
</security-role>

If the user enters a valid name/pass, but is only in role 'dimwit', they'll get access denied