I recently upgraded from tomcat 5.0.28 to 5.5.17. I have security set up on all my apps to allow any user that can authenticate against ldap access to the application....
So in 5.0.28, I defined <role-name>*</role-name> to allow all role names. In 5.5.17 the behavior changes on the role-name attribute, and apparently the * now means "all roles defined inside of web.xml" instead of the previous "all/any roles".. I understand that after tomcat 5.5.12, tomcat was "fixed" to conform to the 2.4 servlet spec, in which the * 's meaning is redefined. Suck. I dont want to have to define 300 roles in web.xml.. Once I do that, I am now maintaning roles in 2 places. ***As a test/workaround, I downloaded 5.5.12 and copied catalina.jar from server/lib to my 5.5.17 installation.. !Voila! authentication now works with the <role-name>*</role-name> questions: Why is there no backwards compatibility? or is there and I just have to tell it which servlet spec to use? ***As, for my workaround. I cant see this as being a very good solution... I'm guessing this will cause problems elsewhere?? I could just use 5.5.12, but I'm sure there are some bug fixes along the way that I would benefit from.. thanks, Brian