Hi all, It seems that webapp classloader puts all classes loaded from a webapp directory into the same ProtectionDomain regardless of the location where the class was loaded from (like classes dir or a jar file). It means that any security grant entry granting permssions to a webapp codesource effectively grants the same set of permissions to each and every class in web application. This is probably fine in most cases but leaves no possibility to fine tune security within web-application. My particular problem is that I'm trying to use JAAS to enable access control with custom JAAS policy implementation. CodeSOurce partitioning that Sun suggests requires that the code sensitive to user-based operations shoud be put into separate ProtectionDomain for JAAS mechanisms to work. The only way to do this with Tomcat is to put classes someplace out of webapp directory, so they don't inherit any permissions assigned to webapp ProtectionDomain. I think that webapp class loader should put classes loaded from class directory and every jar file into diffrent protection domains, like class loaders that load classes from the system classpath in Java. Well, if all that makes any sense to you may be there's something I'm missing here? Just wanted to get other people's opinions... --Vlad. *********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ***********************************************************************