anonymous wrote : | But from my point of view, the behaviour in situation when you are in role "Admin" (or "User") and not in "Authenticated" is not logical. | Needing an "Authenticated" Threshold only makes the difference between an authenticated user and an anonymous user. After that within authenticated state itself, resources are access controlled based on whether they have "Admin" role, "User" role etc. Atleast thats the default security policy of portal we ship out of the box. To change this, you can modify the security constraints I mentioned in portal server configuration. I thought you needed a solution that would work with the out of the box portal policy. But, looks like you are looking to modify the default portal security policy, which is fine too. Try the first option I suggested and see if that works. You will need to add the "User" and "Admin" role references in the web.xml instead of the Authenticated we have today anonymous wrote : | Solution may be to inform our customers that for correct usage of Tomcat SSO Valve, they must have users in their web applications in both roles "Admin" and "Authenticated" (or "User" and "Authenticated" for normal non-admin users). | Yes that is correct for the default security policy that we ship with Thanks View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4227549#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...