I have installed the server (Orion/1.0rc1), deployed a test application and all appears to working well. I would now like to add in basic authentication to a section of the web site. When I configure the application deployment descriptor (web.xml) in the usual way to add in a security-constraint using basic authentication and then access the restricted area, the browser displays: 403 Forbidden Error initializing security, security-role not found: users I have tried playing with the principals.xml file in various forms (having the group name users, adding individuals to the group, etc.), but nothing seems to have any effect. Can someone explain to me the process that Orion uses to map roles to groups to users (e.g. Which configuration files are involved? Can roles be mapped on a per application basis (e.g. using /META-INF/principals.xml as one mailing list post suggests)?). Or point me to any documentation that describes this. Thanks in advance, Tony