I am using struts with iAS sp3. I am sending all urls through my action servlet with the following mapping: <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> And I'm protecting this with the following security-constraint: <web-resource-collection> <web-resource-name>LDAPSecurity</web-resource-name> <description>LDAP-controlled Security</description> <url-pattern>*.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> The problem I'm facing is that I get a 403 Unauthorized error and I never get directed to my formLogin.jsp (which is a registered JSP), and it never kicks off FormAuthServlet. I tried changing <url-pattern> to "/.do", and then it kicks off FormAuthServlet, but then I get an error that "user formLogin.jsp" is not logged in, while accessing application <appName>. I've noticed that if I leave the pattern as *.do, and I go into kregedit and add the value "/timetracker/*.do=FORM" to the following key: SOFTWARE\iPlanet\Application Server\6.0\CCS0\HTTPAPI\SecUrlTrans it works as I would expect it to. "timetracker*do=FORM" is already a value in this key. Any ideas?? Does anyone know how to get this key to set both values, or do I always have to "hack it" to make it work like I want? Thanks, Matt _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com