http://stackoverflow.com/questions/12388293/ibm-was-ignoring-security-in-web-xml
http://stackoverflow.com/questions/5067917/websphere-security-constraint-in-web-xml-doesnt-work
WebSphere security may not be enabled. If it's not, your web.xml settings will be ignored.
In the admin console, look in the Security -> Global Security section. Make sure 'Enable application security' is checked.
Note that you can create different security settings at different 'levels' (node, server, etc). If you have multiple domains defined in Security -> Security Domains, make sure the app server your webapp is running on has the correct domain set.