Steve, Type of realm should not make any difference for your web.xml Your web.xml setup will be the same with JDBCRealm, or SimpleRealm or JndiRealm. You can use either form based auth (like in your example) or basic auth with JndiRealm. All JndiRealm config is done in tomcat's server.xml file This fragment is from role-map.xml I presume? <user-role name="cn=*,ou=vidchat,ou=accounts,dc=oven,dc=com"> <app-role>user</app-role> </user-role> Right now the only wildcard supported is "*" but it is easy to add support for regular expressions. Actually you can plug-in your own RoleMapper. I provided SimpleRoleMapper as an example and default. You can use your own (just have your com.acme.tomcat.MyRoleMapper implement RoleMapper interface and in your server.xml specify roleMapperClass = com.acme.tomcat.MyRoleMapper") Alex Hey Alex, Your JndiRealm looks very interesting. I'm currently installing it for testing. I have two questions about setup. 1. Can I use your realms in my web.xml as follows? <login-config> <auth-method>FORM</auth-method> <realm-name>UmsRealm</realm-name> <form-login-config><form-login-page>login.html</form-login-page> <form-error-page>error.html</form-error-page> </form-login-config> </login-config> 2. Can I map names to roles, using wildcards as follows? <user-role name="cn=*,ou=vidchat,ou=accounts,dc=oven,dc=com"> <app-role>user</app-role> </user-role> -- Steve Steve Cannon [EMAIL PROTECTED] Chief Technology Officer -- OVEN www.oven.com 646 613 2852