It's true that how Overlapping security-constraints are handled has changed between TC 4 & TC 5 (since they changed in the servlet-spec), but that's not what is causing your problem.
The <url-pattern>/edit*</url-pattern> isn't valid, so it looks like you were relying on an 'undocumented feature' of TC 4 ;-). TC 5 will treat this a match for a URL that is literally '/myapp/edit*'. The valid pattern is <url-pattern>/edit/*</url-pattern>, so if you move all of your edit* files to a subdirectory (and fix the links), then you can have a wild-card pattern. Otherwise, there is nothing to do but to list all of your edit* URLs. "Craig Berry" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I recently moved from Tomcat 4 to 5, and have discovered that the handling of overlapping security-constraint definitions in web.xml seems to have changed. I am hoping someone can recommend the best way to accomplish what I need to do under TC5. I have two possible user roles. All users have the role "User"; in addition, some have a second role, "Admin". I want to require at least "User" role to access any page, but require "Admin" role to access a few specific page patterns. So I have two security-constraint entries, like this (this is a simplified version): <security-constraint> <web-resource-collection> <web-resource-name>Secure content</web-resource-name> <url-pattern>*.do</url-pattern> </web-resource-collection> <auth-constraint> <role-name>User</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Admin content</web-resource-name> <url-pattern>/edit*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> This worked under TC4; since all users have the "User" role, everyone could get at all my *.do pages, but users without the "Admin" role would get a 403 if they tried to reach a page starting with "edit". However, under TC5, it appears that permissions are adding rather than subtracting, if that makes sense. In other words, the presence of the blanket permission for *.do makes all pages accessible, and the attempt to add an additional rule about /edit* pages is ignored. I could obviously enumerate all the pages in both categories, but that would be brittle in the face of new development. Is there a way to do this with patterns as I did under TC4? -- Craig Berry Principal Architect and Technical Manager PortBlue (310) 566-7546 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]