Caldarale, Charles R wrote: >> From: Mark Thomas [mailto:ma...@apache.org] >> Subject: Re: Request not forwarded to login page with >> security-constraint after session time-out >> >> The spec is clearer than that. The "*" role == all roles >> defined in web.xml. > > Yes, but what it's not clear about is what happens when there are *no* roles > defined in web.xml, which is the situation the OP has.
I thought it was pretty clear. If "*" is all roles defined and you have no roles defined then you are basically preventing anyone from accessing that resource (subject to the weird and wonderful rules on combining security constraints). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org