Hi, A question re declarative security and form-based authentication and subsequent request authorization:
Can anyone confirm whether or not authorization(i.e. role checking) is repeated for each request(to a secured resource) after a user has been authenticated? There would be times when a subsequent request comes in to a resource secured under a role which is higher or lower within the applications user hierarchy and I need to know what behaviour tomcat implements. Tomcat will surely have a list of valid roles for a particular authenticated user right? This would make sense as a check can be performed as and when required to determine whether or not the user has been assigned the required role. jfc -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>