I'd like to be grant access to authenticated users in my web application without requiring them to be a member of a specific role.
My first guess was to specify <role-name>*</role_name> in my auth-constraint, however it seems that this just means grant access to any role defined in my web-app, not grant access to any authenticated user.
Is it possible to do this in Tomcat 5.5.x and if so how?
I think the direct answer is no, you can't do that in Java EE 5. But you could create an "everyone" role which every authenticated user is a part of. I think that's what John is getting at, and is how I would do it. It's really not much different.
Alternatively, if you're willing to do this programmatically, and are using container-managed authentication, you should be able to detect an authenticated user by checking whether HttpServletRequest.getRemoteUser() isn't null. That doesn't involve roles.
As it turns out, Tomcat does support this. In the server.xml, add allRolesMode = authOnly in the appropriate Realm tag.