i am using <auto-method>Form</auto-method> I get back null, when sending home.jsp that include login. for example http://localhost:8080/ems/home.jsp I get back http://localhsot:8080/ems/null I checked tomcat-usr. my xml.page <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> <web-app> <welcome-file-list> <welcome-file>/home.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>EMS Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>security\protected\*</url-pattern> <!-- If you list http methods, only those methods are protected --> <!-- <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> --> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>tomcat</role-name> <role-name>ems</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>EMS Protected Area</realm-name> <form-login-config> <form-login-page>/home.jsp</form-login-page> <form-error-page>/security/notprotected/error.jsp</form-error-page> </form-login-config> </login-config> </web-app> Please help. What have I missed? Batsheva