Marc Farrow wrote: > <auth-contraint/> And there is the problem. An empty <auth-constraint> allows unauthenticated access as per SRV.12.8.1
An empty <auth-constraint> is not the same as an <auth-constraint> that specifies no roles and therefore denies access to all as per SRV.12.8.1. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]