Along with what Mark said, you should know that TC 4.1.30 stops checking after the *first* matching constraint (so in your case, the '/*' always wins). Try reversing the order of your constraints in web.xml.
As Mark mentioned, this has changed in TC 5.x, and your web.xml should work as written. "Angela Stempfel" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hello all > > I have a problem concerning Tomcat 4.1.30. In web.xml i defined several > security constraint. First of all I protected the whole application and > then I excluded the directories with images and css files. Furthermore I > defined some roles. > > <pre> > <security-constraint> > <display-name>TCE GUI</display-name> > <web-resource-collection> > <web-resource-name>WEBGui Area</web-resource-name> > <!-- Define the context-relative URL(s) to be protected --> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <!-- Anyone with one of the listed roles may access this area --> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Images and CSS Not Protected</web-resource-name> > <url-pattern>/images/*</url-pattern> > <url-pattern>/css/*</url-pattern> > <http-method>GET</http-method> > <http-method>HEAD</http-method> > </web-resource-collection> > </security-constraint> > > <security-constraint> > <display-name>DSLAM Configuration</display-name> > <web-resource-collection> > <web-resource-name> > Access to DSLAM Configuration > </web-resource-name> > <url-pattern>/DslamConfig/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>dslamConfig</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/login-error.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <role-name>dslamConfig</role-name> > </security-role> > </pre> > > So my problem is that this works fine with Tomcat 5.0 but not with Tomcat > 4.1.30. If I go to the login page, the stylesheet and images are not found > when running the Application with version 4.1.30. Also the Security > Constraints are not working correctly, this means that a user that hasn't > the role "dslamConfig" is able to enter the following URL: /DslamConfig/* > > Has anyone some ideas? > > Thanks a lot > Angela --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]