when i attempt to use CLIENT-CERT auth with the tomcat 4 manager webapp, tomcat appears to still be looking for basic auth credentials. for example, if i change web.xml in the manager webapp to look like this: --- snip --- <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- NOTE: This role is not present in the default users file --> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> --- end snip --- and configure an ssl connector along with my keystore, then try to access the manager app from a client, i get a 401: HTTP/1.1 401 Cannot authenticate with the provided credentials Content-Type: text/html Date: Thu, 23 Aug 2001 20:46:21 GMT Server: Apache Tomcat/4.0-b8-dev (HTTP/1.1 Connector) Connection: close Connection: close <html> <head> <title>Tomcat Error Report</title> <br><br> <h1>HTTP Status 401 - Cannot authenticate with the provided credentials</h1> </body> </html> two message appear to show up in the log when i send the request: 2001-08-23 16:09:14 CertificatesValve[/manager]: verify: SSLPeerUnverifiedException 2001-08-23 16:09:15 CertificatesValve[/manager]: expose: Exposing converted certificates which, from looking through CertificatesValve.java, seems to indicate that the client cert chain was properly verified. from reading the servlet spec, it seems that using CLIENT-CERT should not require me to do basic auth as well. did i read the spec wrong, or is this a tomcat 4 bug? thanks, -kevin.