Chuck, Thank you for your quick response. I have looked at the section 12 specifically 12.3 and 12.4 but I must be missing something. I don't understand how the <security-role> tag is use full when you are already restricting a resource through the <auth-constraint>. Is this meant simply to give a less abstract name to a role? For example if the user role in the OID that I am interested in is named 102934756.Portal.User then I can map that to a simpler name like Portal.
Also is there another way to pragmatically restrict other than isUserInRole(). I don't get how I am not being authorized when there doesn't seem to be any code in place to check this? --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]