Cloud foundry user with mapped role still see 401

Question

I'm new in sap btp. I'm tryng to follow a tutorial:

https://developers.sap.com/tutorials/s4sdk-secure-cloudfoundry.html

In particular I receive a 401 after the configuration of the role Display.

I follow all the step for my TOMEE project from xs-security.json:

{
  "xsappname": "javaapp",
  "tenant-mode": "dedicated",
  "scopes": [
    {
      "name": "$XSAPPNAME.Display",
      "description": "display"
    }
  ],
  "role-templates": [
    {
      "name": "Viewer",
      "description": "Required to view things in your solution",
      "scope-references"     : [
        "$XSAPPNAME.Display"
      ]
    }
  ],
  "oauth2-configuration": {
    "redirect-uris": ["https://*.cfapps.xxxxxxx.hana.ondemand.com/**"]
  }
}

The web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
        version="3.0">

    <session-config>
        <session-timeout>20</session-timeout>
    </session-config>


        <login-config>
            <auth-method>XSUAA</auth-method>
        </login-config>


          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>Baseline Security</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>*</role-name>
              </auth-constraint>
          </security-constraint>


          <security-role>
              <role-name>Display</role-name>
          </security-role>


    <filter>
        <filter-name>RestCsrfPreventionFilter</filter-name>
        <filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>RestCsrfPreventionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>

The protection allow and not of the endpoint:

@WebServlet("/businesspartners")
@ServletSecurity(@HttpConstraint(rolesAllowed = { "Display" }))
public class BusinessPartnerServlet extends HttpServlet
{

@WebServlet("/hello")
public class HelloWorldServlet extends HttpServlet
{
    private static final long serialVersionUID = 1L;
    private static final Logger logger = LoggerFactory.getLogger(HelloWorldServlet.class);

And the correct configuration of the role to a collection role from sap btp platform:

Why I receive 401 from both endpoint instead I configured only for the Hello page?

thanks