I just noticed that if I set a 403 error status in a servlet, Tomcat automatically adds the following HTML body with the error: <h1>SSL required to access this page</H1> Ugh. I looked at the source code (3.2.2 of Tomcat) and notice that if no 403 error-code handler is registered, it defaults to SSLRequiredHandler. IMO, this is a bad default since SSL access is only one of many possible reasons that access to a resource is forbidden. To me, there should be no default, or if there is one, it should be a canned response like "Access Forbidden". So why was this done? A hack for SSL support? And when will it be changed. --ewh -- Earl W. Hood Texas Instruments [EMAIL PROTECTED] 972-917-1695