Everytime asked yourself what to do in order to use a basic password pop up as authentication mechanism instead of a form based login (which uses the HTML logon page)? This is how your web.xml file has to look like. (In addition, do not forget to use security constraints on all HTTP methods in the web.xml, as also a security role.)

...

<login-config>

  <auth-method>BASIC</auth-method>

  <realm-name>Put here the name, which appears as header in the basic password pop up</realm-name>

</login-config>

<security-constraint>

  <display-name>Authenticated users only</display-name>

  <web-resource-collection>

    <web-resource-name>root</web-resource-name>

    <url-pattern>/*</url-pattern>

    <http-method>GET</http-method>

    <http-method>POST</http-method>

    <http-method>TRACE</http-method>

    <http-method>DELETE</http-method>

    <http-method>CONNECT</http-method>

    <http-method>PUT</http-method>

    <http-method>HEAD</http-method>

    <http-method>OPTIONS</http-method>

  </web-resource-collection>

  <auth-constraint>

    <description>all</description>

    <role-name>all</role-name>

  </auth-constraint>

  <user-data-constraint>

    <transport-guarantee>NONE</transport-guarantee>

  </user-data-constraint>

</security-constraint>

<security-role>

  <role-name>all</role-name>

</security-role>

...

In addidion, add a security role mapping to your web-j2ee-engine.xml.

...

<security-role-map>

  <role-name>all</role-name>

  <server-role-name>all</server-role-name>

</security-role-map>

...