I have disabled the welcome-filles in JBoss AS 7.1.1 and am using a directory for static resources that I mapped to "/" with jboss-web.xml. This is working fine. I have a simple Servlet-based web-app that I configured in web.xml to use Basic authentication using the "application-roles.properties" and "application-users.properties" files in standalone/configuration. This is also working fine.
Now I would like to protect a "downloads" subdirectory of the static resources directory mentioned above with Basic auth. I've added a web.xml inside the root folder with the same config as in the Servlet-based Web-app but this does not work. I can still access the download without being prompted for credentials.