Servlet 3.1 Specification (JSR 340) and Java Authorization Contract for Containers (JSR 115) MR3 are almost ready for release. Besides "*", the role-name "**" is introduced in the above two specifications. In a nutshell, "*" means any role defined in web.xml and "**" means any authenticated user. Prior to Servlet 3.1, web containers use proprietary mechanisms to add security-constraints for any authenticated user. For instance, GlassFish v1 achieves this through the use of assign-groups. Let us look at an example of how to use "**" to have a security-constraint in Servlet 3.1. Suppose we have three servlets with a snapshot of web.xml in a web application as follows:<security-constraint> <web-resource-collection> <web-resource-name>forFooServlet</web-resource-name> <url-pattern>/foo</url-pattern> </web-resource-collection> <auth-constraint> <role-name>**</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>forBarServlet</web-resource-name> <url-pattern>/bar</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>forBazServlet</web-resource-name> <url-pattern>/baz</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>staff</role-name> </security-role> In this case, only "admin" and "staff" roles are defined. Suppose we have the followingsecurity-role-mapping inglassfish-web.xml. Note that group contractor does not map to any role below. <security-role-mapping> <role-name>admin</role-name> <group-name>manager</group-name> </security-role-mapping> <security-role-mapping> <role-name>staff</role-name> <group-name>staff</group-name> </security-role-mapping> Suppose Alice, Bob and Carol are authenticated users for the web application. The following table summarizes the behavior of "*" and "**".                                     
usergrouprole/foo ("**")/bar ("*")/baz ("admin")
Carolcontractor okdenydeny
The feature "**" has been implemented in GlassFish 4.0. You can download it from here.