Hi, apologies as this is a bit of a cross-post from tomcat-user last week (was getting no responses from there). I need to work out what's going on re: roles and login. I'm observing some unexpected behaviour in Tomcat (3.2.1) in conjuction with roles. This is the situation: (web.xml is at the bottom) two roles: Customer Gold Customer a user: Joe Bloggs Joe is a "Customer" but not a "Gold Customer" This is what I observe: 1) new browser (not logged in) browse to /control/CustomerSecurePage 2) browser is redirected to /login.jsp 3) Joe logs in and is redirected to /control/CustomerSecurePage 4) browse to /control/GoldSecurePage 5) browser redirected to /control/loginerror 6) Joe is now logged out, any subsequent attempts to browse to a page secured by the "customer" role results in a redirection to the login page. Is this correct behaviour? I would have expected an attempt to access to the gold url to have denied access but not to have logged the user out! Unless I can resolve this I'm going to have to abandon using tomcat to manage access to restricted content. This is not something I want to do. I've tried working through the source but got lost. Thanks in advance, Nathan this is the relevant section of web.xml: **************************************************************** <security-constraint> <web-resource-collection> <web-resource-name>MySecureBit0</web-resource-name> <description>no description</description> <url-pattern>/control/GoldSecurePage</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>no description</description> <role-name>gold</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>MySecureBit1</web-resource-name> <description>no description</description> <url-pattern>/control/CustomerSecurePage</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>no description</description> <role-name>customer</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>TheGiftStore</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/control/loginerror</form-error-page> </form-login-config> </login-config> <security-role> <description>the customer role</description> <role-name>customer</role-name> </security-role> <security-role> <description>the gold customer role</description> <role-name>gold</role-name> </security-role> ****************************************************************