Can somebody answer this question or provide a link ? If using Tomcat 3.2/4.0 with apache and form based login, will the resources that are served directly by apache be protected, and how is it done ? As far as I understood tomcat stores username and password in the session and checks on each request if the requested resource is proteted and the stored user has the credentials to access it. (org/apache/tomcat/request/AccessInterceptor.java) But apache doesn't know anything about the tomcat session (it may know the session id from the cookie or the url but has no access to the internal data of the session) so how can apache protect the static resources ?