On Jan 13, 2006, at 8:18 AM, Jian Liao wrote:Hi all,I am working on integration Jetspeed 2 with Geronimo(Tomcat container). I have the following configuration in my j2 main web.xml.- security-constraint- web-resource-collection web-resource-nameLogin /web-resource-name url-pattern/login/redirector /url-pattern /web-resource-collection - auth-constraint role-name*/ role-name /auth-constraint/security-constraint But there is no role define in this web.xml.Should it have a WebResourcePermission("/login/redirector", "GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE") to be added to unchecked policy statements? I think this special case is equals to "A WebResourcePermission must be added to the unchecked policy statements for each distinct url-pattern occurring in the security-constraint elements that do not contain an auth-constraint." I did read jacc spec SRV. 3.1.3.1 and servlet 2.4 spec SRV.12.8 and found nothing about this case(correct me if I am wrong). When I run this configuration on Tomcat 5.5.12, everything is ok, Tomcat treat * as allRole even there is no role defined in web.xml and hasResourcePermission() always return true. But when I run this with Geronimo SVN head, it always return false. Any help would be appreciated!I'm pretty sure our behavior is correct. The paragraph previous to the one you quote says:When an auth-constraint names the reserved role-name, "*", all of the patterns in the containing security-constraint must be combined with all of the roles defined in the web application.Therefore, I think that if there are no roles defined in the web application, you have effectively made this an excluded resource. I think if tomcat standalone has different behavior, it is wrong.thanksdavid jencks- Jian Liao