[ ] As you continue building your site, consider not only which jsps need to be locked down, but which servlets too! For example, if search.jsp is restricted, the search servlet should be limited as well, so the savvy user doesn't access it using the servlet url: "/searchUser".
Nice job getting tomcat JDBC realm auth working!