Caldarale, Charles R wrote: >> From: Marcel Stör [mailto:mar...@frightanic.com] >> Subject: Re: Request not forwarded to login page with >> security-constraint after session time-out >> >> No, I only mentioned this because Tomcat throws an SQL exception >> because it tries to query a table called "" if I don't specify a role >> table in the realm config in context.xml > > That's because of the strong implication in the servlet spec that roles are > required; any behavior you observe in a particular Tomcat level when no roles > exist is very likely an accident and not guaranteed from one version to the > next.
The spec is clearer than that. The "*" role == all roles defined in web.xml. Unfortunately, Tomcat used to treat "*" as any authenticated user - not quite what the spec requires. That was fixed - check the change log for the version. The undocumented realm attribute allRolesMode (see RealmBase) can be used to control this behaviour. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org