Hi: I would think if, in web.xml, the <url-pattern> in the <security-constraint> and in the <servlet-mapping> were identical then security would be enforced. But this does not seem to be happening. For example: <servlet> <servlet-name>Test</servlet-name> <servlet-class>test.test.TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>Test</servlet-name> <url-pattern>/test</url-pattern> </servlet-mapping> should be protected with a login screen if I have <security-constraint> <web-resource-collection> <web-resource-name>Everthing</web-resource-name> <url-pattern>/test</url-pattern> <http-method>*</http-method> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint> This does not cause the login screen to come up as expected. I tried <url-pattern> /* but that caused all kinds of problems. /test/* didn't work either. If I attempt to protect a JSP or HTML file - that works fine, so I know it has nothing to do with the principals.xml or roles I have setup for the web app. Any ideas? Kit Cragin VP of Product Development Mongoose Technology, Inc. www.mongoosetech.com