以下是您的答案:

<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
        version="3.0">
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <security-constraint>   
        <web-resource-collection>
            <web-resource-name>Private Page</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>moderator</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>   
        <web-resource-collection>
            <web-resource-name>Public page</web-resource-name>
            <url-pattern>/test/*</url-pattern>
        </web-resource-collection>        
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test Realm</realm-name>
    </login-config>
</web-app>

在此配置中，根目录受密码保护，而/test/...目录不受密码保护.我认为这就是您要的.

In this configuration, the root directory is password protected and the /test/... directory is not. I think this is what you are asking for.

此配置在Tomcat 7+上进行了测试，并在NetBeans中从头开始创建了一个新项目(如果需要，我可以通过电子邮件将整个源代码发送给您).

This configuration is tested on Tomcat 7+ and a new project created from the beginning in NetBeans (I can email you the whole source if you need it).

这是输出: