> From: Mark Thomas [mailto:ma...@apache.org] > Subject: Re: Request not forwarded to login page with > security-constraint after session time-out
> > What the spec is not explicit about is the combination > > of "*" with an empty or non-existant <security-role> list. > I think it is quite clear. It means no-one gets access. We'll have to agree to disagree; I find it ambiguous, and obviously others have different interpretations, so it definitely isn't clear. I'd like to see the spec document how authentication can be configured when no authorization (and therefore no roles) is necessary. > Chuck and I are off on our own little tangent. Not sure that's entirely true, since the OP's situation (authentication without need for authorization) doesn't seem to be covered by the spec, and behavior of other containers (and even different versions of Tomcat) may well differ from what he's getting today. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org