Thanks for the reply. The underlying issue is that when Role R is required for Page P then *TWO* things need to happen depending on whether the user is in role R. These are
1. Allow or block access to page P. 2. Grey out or not grey out the menu item for page P. We only want to specify the fact that Role R is required for Page P ONCE. Declarations in web.xml handle 1. but not 2. That is why I want to do it "manually". (Where "manual" means a few lines of code in one specific method that is automatically called by all pages as part of a larger infrastructure.) > Well, since you haven't asked Tomcat to provide authorization, it > doesn't care about authentication. That seems perfectly reasonable to me. Not so. I have asked Tomcat to provide authorization by calling request.isUserInRole(...). And Tomcat fails. IMHO it is a straight bug in an optimization. isUserInRole etc. needs to have an extra test: if (! authenticationHeaderProcessed() ) processAuthenticationHeader(); I'll hack around it if there is no magic option. Anthony > Berglas, Anthony wrote: > > Tomcat seems to only check the Authorization: headers if there is some > > <security-constraint> explicitly declared in web.xml. However, it > > appears that the optimization has been incorrectly implemented because > > it does not then recheck the header if request.isUserInRole(...) etc. > > are called. So users cannot log into a system that uses > > request.isUserInRole(...). --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]