According to the servlet spec 2.3 the specially reserved role-name "*" is a compact syntax for indicating all roles in the web application. Tomcat interprets "*" as meaning "any authenticated user", which is not quite the same thing as the spec language either. For further reading have a look at Graig's reply to my post in tomcat user mailing list: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg78364.html
Thsi has been fixed in SVN for tc4.1.x and tc5.5.x