I am trying to specify security constraints for my web app and am running into some difficulty. In the web.xml file below for twa.war (twa = test web application), what is the correct <url-pattern> element of the <security-constraint> element that will cause /login/login.jsp to be invoked when the user attempts to access the "mytwa" servlet? i.e. http://localhost/twa/mytwa should invoke http://localhost/twa/login/login.jsp and then upon successful login redirect the user to that servlet. /*, * cause a 500 error, /mytwa, /mytwa/* pass the user straight to it. I thought (checking with the 2.2 spec) that /mytwa/* was correct, but I guess not. thanks, Kit ------------------ <?xml version="1.0"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> <web-app> <servlet> <servlet-name>mytwa</servlet-name> <servlet-class>twa.TestWebApp</servlet-class> </servlet> <servlet-mapping> <servlet-name>mytwa</servlet-name> <url-pattern>/mytwa/*</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>/login/login.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>Every JSP Except Login Stuff</web-resource-name> <url-pattern>/*.jsp</url-pattern> <!-- WHAT SHOULD THE LINE BELOW BE? --> <url-pattern>/mytwa/*</url-pattern> <http-method>*</http-method> </web-resource-collection> <auth-constraint> <role-name>twausers</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>twausers</role-name> <description>Users of the TWA</description> </security-role> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login/login.jsp</form-login-page> <form-error-page>/login/loginretry.jsp</form-error-page> </form-login-config> </login-config> </web-app>