I have a question about Tomcat SSO Valve. I have a JBoss-4.2.3.GA with JBoss Portal 2.7.2 from branch and I did this scenario: 1) I changed the security settings of default portal, so only admin can see it. ('View recursive' and 'Personalize recursive' permission to Administrators). So the access to http://localhost:8080/portal needs authentication and needs to be authorized as admin. 2) I enabled the Tomcat SSO valve in $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml in same way, which is described in reference guide. 3) I enabled the authentication for jmx-console in same way, which is described in reference guide: $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml: <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> <security-role> <role-name>Admin</role-name> </security-role> $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml: <jboss-web> <security-domain>java:/jaas/jmx-console</security-domain> </jboss-web> $JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties: admin=Admin,HttpInvoker 4) I went to http://localhost:8080/jmx-console and authenticate to jmx-console as admin. 5) Then I went to http://localhost:8080/portal and I see the normal default page of default portal with information about Admin is logged in (Sign 'logged in as: admin' in the right up corner and link to Admin portal) 6) After click to any link on portal, I felt into 403 forbidden error. This is caused, because any click redirects me to URL like: http://localhost:8080/portal/auth/dashboard and I need to be in 'Authenticated' role to access this URL. But I am only in 'Admin' role but not in 'Authenticated' role (Authentication is done by jmx-console and 'Authenticated' role is not specified in jmx-console-roles.properties). My question is, if this behaviour is correct. I think not. If I am not authorized to see the default portal, while is possible then I can see http://localhost:8080/portal after logging to jmx-console? If I am authorized to see the portal, while I have the '403' error while clicking to any link from default portal page? This looks like conflict from my point of view. mposolda(a)redhat.com View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4227254#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...