Hello, Tomcat users! Earlier this week I stumbled on the following problem. I already found a solution to it but I am still not sure whether I had misconfigured things or whether this is a Tomcat bug that should be filed (didn't find an existing record). Could someone with more expertise confirm if the following is correct behaviour according to servlet standard (short explanation would be nice in that case). I am using Tomcat 3.2.3. I have a servlet mapped to / (within its application context) and I have restricted the access to / using the following webapp definition. - clip - <servlet> <servlet-name>sms-dispatcher</servlet-name> <servlet-class>fi.rossum.bg.sms.SMSDispatcher</servlet-class> </servlet> <servlet-mapping> <servlet-name>sms-dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>sms-dispatcher</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint> <role-name>smscore</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>smscore</realm-name> </login-config> - clip - However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/ Tomcat lets me in without basic authentication! Now, when I do the following modification... - clip - <security-constraint> <web-resource-collection> <web-resource-name>sms-dispatcher</web-resource-name> - <url-pattern>/</url-pattern> + <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>smscore</role-name> - clip - ...everything starts working as expected and I have to provide a user name and password. Is this really how it is supposed to work? Thanks for clarifications! -- Johannes Lehtinen <[EMAIL PROTECTED]>, http://www.iki.fi/jle/