Hi all,
I want to control my website so that all pages require a logged in user, some pages are only visible for certain roles. In the web.xml description there is a remark for the element:
If this element is present, the user must be authenticated in order to access any resource that is constrained by a defined in the Web application. Once authenticated, the user can be authorized to access other resources with access privileges.

one for all pages:


all pages
desc
/*



one with restriction for roles:


role rescricted
...
/control/requirements/*


aRoleName



my element:

FORM

/control/Login
/control/Login




The role restriction works fine. But also a user who is not logged in, can access the other pages and is not redirected to the login page.

Any ideas??