Did you heard something about CVE-2022-34305?
Are you trying to hunting this CVE on the wild?
I've bad news: It's authenticated.
The ilustration above was grabbed from here
Maybe you can have some luck trying to authenticating with the following default logins bellow:
<user username="tomcat" password="tomcat" roles="tomcat" />
<user username="both" password="tomcat" roles="tomcat,role1" />
<user username="role1" password="tomcat" roles="role1" />
The commit from Apache fixing this vulnerability can be found here