Java Container Managed Security Not Redirecting to Login Page

Question

I have a JSF 2 web application I am building on GlassFish 3. I am using container managed security to handle the login. Every page in my web app needs to be secure. All pages are in the root directory along with the login page. The problem is when I type a URL to directly access a protected page, it displays even though a user is not logged in. I would like every page on my site except for the login page to be secured so the user has to access the site through this login page. Any ideas why it's not blocking requests for other pages when the user is not logged in?

Here is the relevant snippet from my web.xml:

<welcome-file-list>
    <welcome-file>index.jsf</welcome-file>
</welcome-file-list>
<security-constraint>
    <display-name>EmployeeConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Pages</web-resource-name>
        <description/>
        <url-pattern>/home.jsf</url-pattern>
        <url-pattern>/applicantHome.jsf</url-pattern>
        <url-pattern>/assessmentFinished.jsf</url-pattern>
        <url-pattern>/help.jsf</url-pattern>
        <url-pattern>/memberInfo.jsf</url-pattern>
        <url-pattern>/phrases1.jsf</url-pattern>
        <url-pattern>/phrases2.jsf</url-pattern>
        <url-pattern>/quotations1.jsf</url-pattern>
        <url-pattern>/quotations2.jsf</url-pattern>
        <!--url-pattern>/myProfile.jsf</url-pattern-->
    </web-resource-collection>
    <auth-constraint>
        <role-name>Employee</role-name>
        <role-name>Applicant</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>ApplicantConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Pages</web-resource-name>
        <description/>
        <url-pattern>/home.jsf</url-pattern>
        <url-pattern>/applicantHome.jsf</url-pattern>
        <url-pattern>/assessmentFinished.jsf</url-pattern>
        <url-pattern>/help.jsf</url-pattern>
        <url-pattern>/memberInfo.jsf</url-pattern>
        <url-pattern>/phrases1.jsf</url-pattern>
        <url-pattern>/phrases2.jsf</url-pattern>
        <url-pattern>/quotations1.jsf</url-pattern>
        <url-pattern>/quotations2.jsf</url-pattern>
    </web-resource-collection>
</security-constraint>
<security-constraint>
    <display-name>ReportsConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Pages</web-resource-name>
        <description/>
        <url-pattern>/reports.jsf</url-pattern>
        <url-pattern>/indReport.jsf</url-pattern>
        <url-pattern>/indReportResults.jsf</url-pattern>
        <url-pattern>/groupReport.jsf</url-pattern>
        <url-pattern>/cloneReport.jsf</url-pattern>
        <url-pattern>/home.jsf</url-pattern>
    </web-resource-collection>
</security-constraint>
<security-constraint>
    <display-name>AdministratorConstraints</display-name>
    <web-resource-collection>
        <web-resource-name>Pages</web-resource-name>
        <description/>
        <url-pattern>/admin.jsf</url-pattern>
        <url-pattern>/home.jsf</url-pattern>
        <url-pattern>/applicantHome.jsf</url-pattern>
        <url-pattern>/assessmentFinished.jsf</url-pattern>
        <url-pattern>/cloneBuilder.jsf</url-pattern>
        <url-pattern>/cloneBuilderMenu.jsf</url-pattern>
        <url-pattern>/cloneBuilderRangeEditor.jsf</url-pattern>
        <url-pattern>/cloneReport.jsf</url-pattern>
        <url-pattern>/cloneReport.jsf</url-pattern>
        <url-pattern>/groupReport.jsf</url-pattern>
        <url-pattern>/help.jsf</url-pattern>
        <url-pattern>/indReport.jsf</url-pattern>
        <url-pattern>/indReportResults.jsf</url-pattern>
        <url-pattern>/licenseManager.jsf</url-pattern>
        <url-pattern>/management.jsf</url-pattern>
        <url-pattern>/memberInfo.jsf</url-pattern>
        <url-pattern>/phrases1.jsf</url-pattern>
        <url-pattern>/phrases2.jsf</url-pattern>
        <url-pattern>/quotations1.jsf</url-pattern>
        <url-pattern>/quotations2.jsf</url-pattern>
        <url-pattern>/reports.jsf</url-pattern>
        <url-pattern>/userAdmin.jsf</url-pattern>
    </web-resource-collection>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>PerProUserAuth</realm-name>
    <form-login-config>
        <form-login-page>/index.jsf</form-login-page>
        <form-error-page>/index.jsf</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <description/>
    <role-name>Employee</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>Applicant</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>Administrator</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>Reports</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>Former Employee</role-name>
</security-role>

Answer 1

There's a tutorial here with a quote that may be relevant.

Because security role mapping happens at deployment time, the default mapping must be turned on before the application is deployed. To turn on the default mapping, choose Configuration -> Security in the admin console. Click Enabled next to Default Principal to Role Mapping and Save.