Hi, I am usging tomcat 5.5.26 and trying to set up some container security with it. I am using struts 1.2.9 for my project. Basically I have three-type links
1. open to everyone, like the welcome pages. 2. restricted to one type of user role, say A 3. admin part, more restrictive, so for role B I set a normal user only has role A, while an administrator user has both role A and role B. However, I have some difficulty to set up the <url-pattern> for <security-constraint> in web.xml. Both part 2 and 3 are realized by struts, part 2 takes the root address, such as /doAction1.do, etc; part 3 takes the admin subdirectory, such as /admin/user.do. I tried to set part 2 for <url-pattern>/*.do</url-pattern> and part 3 for <url-pattern>/admin/*.do</url-patter>. Tomcat refuses to parse it. I know url-pattern can do things like "/admin/*" for path or "*.do" for the extention match. Any other more finer things? One ugly solution I can think is to change all the part 2 into a path like /normal then put that part as /normal/*. But I would perfer not to do that since that invole lots of changes in strut-config.xml. Any other solution? Thank in advance! Sincerely Zhu, Guojun