So I looked at the servlet spec, but it doesn't specify (as far as I read) how hierarchical security constraints should work and Tomcat 4.1.27 seems to not do hiarachical constraints :) Also searching the list I didn't turn up results of this type, although I swear I've seen this issue before...
I want to secure "/*" with a standard role and then "/stuff1" with another role and "/stuff2" with yet another role. So I put in the web.xml: <security-constraint> <web-resource-collection> <web-resource-name>General Secured content root</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>standard</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>General Secured content root</web-resource-name> <url-pattern>/stuff1</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>usertype1</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>General Secured content root</web-resource-name> <url-pattern>/stuff2</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>usertype2</role-name> </auth-constraint> </security-constraint> But the second two seem to be overriden by the first. (A link on a WebLogic site shows the above to work, but I don't have WebLogic) Is this known behavior or did I miss something? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]