We do not allow this combintaion of URL patterns in web-resource-collection. This is in line with JACC http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/WebResourcePermission.html
<security-constraint> <web-resource-collection> <web-resource-name>Admin Role</web-resource-name> <url-pattern>*.do</url-pattern> </web-resource-collection> <auth-constraint> <role-name>content-administrator</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Unrestricted ACCESS</web-resource-name> <url-pattern>/login.do</url-pattern> </web-resource-collection> </security-constraint> The following url-patterns are allowed with *.do - - /login/*, /login.do/* , i.e. path prefix patterns - login.do, i.e. Exact patterns matching *.do - login.do/, login.do/* Does anyone know why the above web.xml fragment should or should not be allowed? Thanks Anita ____________________________________________________________________________________ Get your own web address. Have a HUGE year through Yahoo! Small Business. http://smallbusiness.yahoo.com/domains/?p=BESTDEAL