Hi Jan, does it really work?? I am using Apache 1.3, Tomcat 3.2.2, Win NT 4.0 SP6, JDBC Realm, the page is under <security-constraint> in a frame (the first subpage) and request.getRemoteUser() and request.getAuthType() are working, giving me FORM and USER. But request.getHeader always returns null. I am speechless ... Any further suggestions, please? Thanks Thomas