I am trying to configure a simple file realm in glassfish 3.1 following this tutorial:

I did everything as it says but doesn't work, when I travel to the admin page doesn't I don't see the pop up message asking for credentials. This is what I did:

1- Create a file realm:

2- Then I created a user using the manage users button

3-I created a glassfish-web.xml file using the graphic interface instead of the editors

4-Then in the same way I configured the web.xml Sorry if this last image is a bit hard to see, you can zoom.

When I use the URL to travel to /admin.xhtml nothing stops me from viewing the content of the page, this means something is not configured right. I don't know what am I missing. Could somebody give me a hand trying to find the reason I cannot make this simple security task work?

Update

Here my web.xml source

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>faces/index.xhtml</welcome-file>
    </welcome-file-list>
    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>allowed</web-resource-name>
            <description/>
            <url-pattern>/admin.xhtml</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>administrator</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>file</realm-name>
    </login-config>
    <security-role>
        <description/>
        <role-name>administrator</role-name>
    </security-role>
</web-app>

and also glassfish-web.xml source

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  <security-role-mapping>
    <role-name>administrator</role-name>
    <group-name>admin</group-name>
  </security-role-mapping>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

Basically what I want to do is having 2 types of users. Guests who just browse index.xhtml and they have no credentials at all and the administrators who have their credentials stored in the file and are asked for them when going to admin.xhtml

I don't understand what is missing. Do I need to create special privilege for guest users saying that they can view index.xhtml?

Assuming your admin.xhtml is a JSF page then because your JSF mapping is /faces/* you are opening it through a URL like http://localhost:8080/[Project/]faces/admin.xhtml. This does not match /admin.xhtml

Replace:

<url-pattern>/admin.xhtml</url-pattern>

with

<url-pattern>/faces/admin.xhtml</url-pattern>