I'm implementing simple authentication (Tomcat 4.1.24), either BASIC or FORM-based, using the UserDataBaserealm, and tomcat's tomcat-users.xml file. My web.xml file has <security-constraint> and <login-config> tags. What I'm wondering is, why don't I also need to use <security-role> tags--the spec seems to imply that they are necessary, and other servlet engines seem to use them. This makes applications non-portable from one engine to another. Anybody know why Tomcat doesn't seem to use this tag? Dave Naden
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]