hi folks, i'm obviously doing soemthing wrong here. a search through the archives didn't present a solution so i have to ask you even so i think this has been asked before. i want to do form-based login for my webapp. securing ejb's is not yet needed, controlling who can login to the app is. <RequestInterceptor className="org.apache.tomcat.request.SimpleRealm" debug="0" /> was missing from server.xml in tomcat/conf, instead i found: <RequestInterceptor className="org.jboss.tomcat.security.JBossSecurityMgrRealm" /> i suggested that i do not need a separate jdbcrealm as when using only tomcat or am i wrong here? i just configured my parts in the web.xml: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/docs/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config> and as a result i get: [EmbeddedTomcatSX] User: null is authenticated 2001-07-10 01:14:55 - Ctx( /CN_BSC3 ): Exception in: R( /CN_BSC3 + /docs/index.jsp + null) - java.lang.NullPointerExcept ion at org.jboss.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMg rRealm.java:113) at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextManager.java:837 ) at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341) at org.jboss.tomcat.security.JBossSecurityMgrRealm.authorize(JBossSecurityMgrRe alm.java:148) at org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java:855) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:78 9) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC onnectionHandler.java:213) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:501) at java.lang.Thread.run(Unknown Source) and not the login-page. can anyone please point me in the right direction. jan -- Jan Heise / Tel: +49-170-4803237 / E-Mail: [EMAIL PROTECTED] _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user