I have had partial success with this problem: protecting a servlet from being invoked until the user has passed login form-based authentication. I have found that if you specify a <servlet-mapping> in conjunction with a <security-constraint> for the mapped servlet, that form-based authentication doesn't seem to work quite right. For example, the following does not work (at least for me!) when the user types http://localhost/test/ts for the URL (assuming test is my web-app name): <servlet> <servlet-name>Test</servlet-name> <servlet-class>com.mongoosetech.test.TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>Test</servlet-name> <url-pattern>/ts/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>Something</web-resource-name> <url-pattern>/ts/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint> The following DOES work if the user types http://localhost/test/servlet/Test (note the absence of the <servlet-mapping>, and the /servlet/* <url-pattern>): <servlet> <servlet-name>Test</servlet-name> <servlet-class>com.mongoosetech.test.TestServlet</servlet-class> </servlet> <security-constraint> <web-resource-collection> <web-resource-name>Something</web-resource-name> <url-pattern>/servlet/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint> Is this an Orion bug? Is this a servlet 2.2 spec bug/oversight? Or is it user (me) oversight - something I missed or mis-specified? Can someone on the Orion team let me know? Thanks... Kit Cragin VP of Product Development Mongoose Technology, Inc. www.mongoosetech.com