Michael -
>Wouldn't '/p/*' imply a match for URLs that contain /p/ That is what it's supposed to match, from the servlet spec. >(e.g. http://server/webapp/p/securelist.do). This is authenticated, as expected. The problem, as I stated, is that this url also forces authentication -> but it should not... notice that there isn't a /p/ path present, but there is a path that starts with a 'p' http://server/webapp/public/list.do > This would explain why all other URLs > fail to get authentication... they are missing the /p/* pattern The point I was making is that the /p/* pattern seems to [incorrectly] match anything that starts with a lowercase p rather than /p/anythinghere http://server/webapp/Public/list.do -> public access, no auth http://server/webapp/ublic/list.do -> public access, no auth >Why not try /public/* Because what I want is that for all requests under /p/ to be 'protected' and anything else to be publicly available. Tim -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>