> A key rule to remember is that security constraints are applied *only* on > the original URL requested by the client -- not on RequestDispatcher > calls. I would bet you probably have "/resource/*" protected, but you'll > likely want to protect "/user/*" as well.
Thanks, this is a great help. You're right, for /user/*, GET requires authentication, but POST doesn't which looks to be why it was working as I had outlined it. But actually, given the nature of how I need to authenticate my resources, it seems that I would be better off in this particular circumstance to use Apache's mod_rewrite to setup the urls which would eliminate the RequestDispatcher altogether. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>