I (accidently) figured out the problem with the <security-constraint>. The problem was in the Connector definition for port 80 in server.xml. The excerpt from server.xml that I posted was correct because it was inadvertently from the 5.0.16 installation. (The editor helpfully "remembered" it for me.)
In the 5.0.18 installation that I was actually using, the redirectPort attribute for the Connect on port 80 was still port 8443 rather than port 443, which I had set up the SSL Connector for. Not that I'm trying salve my ego or anything :-), but I still think there may be a Tomcat installation problem/oddity/gotcha. During the installation of the *.exe version, it asks what port you want Tomcat to listen on with the default (reasonably enough) as 8080. I set that input field to 80. In server.xml, the port attribute of the Connector element was properly changed from 8080 to 80, but the redirectPort of that connector was left unchanged as 8443. This may be a mis-feature, depending upon on your view point. One way of looking at it is that ports 80 and 443 go together while ports 8080 and 8433 go together. If the installation dialog allows the default listen port to be changed from 8080 to 80, then shouldn't it also change the default SSL port from 8433 to 433 along with enabling the Connector for port 443? Perhaps the installation needs an additional option of the "what port do you want" dialog that lets you pick an SSL port if you want one where the default is no SSL. At least that dialog choice would make it clear that the choice of HTTP port is independent of the choice of HTTPS port. Anyway, it works for now. Merrill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]