Ideally I would re-open issue #34 but I don't have permission to do that.
Please clarify the purpose of adding the special role name "*". A role name of "" already indicates that a user with any role can access the protected resource. If a url is protected by a security constraint, a user must be authenticated before their access to it can be determined. Thus, the role name of "" in a security constraint already means "any authenticated user" may access the user protected by it: the new special role name of "*" is unnecessary.