Hi all! I've encountered following problem. i have a protected area defined in my web.xml file: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>test</role-name> <role-name>develope</role-name> <role-name>agent</role-name> </auth-constraint> </security-constraint> under /protected I have serveral jsp files and they cannot be accessed without authorization. however html and js files can be easily accessed without authorization, simply by requesting a proper URL (http://mydomain/protected/somefile.html) !!!!!! why is that? vVolf --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]