There are two kinds of users in my system. All users have the role User; some also have the role Admin. I have set up a pair of security constraints in my web.xml, with the url pattern /* requiring User role, and a small, explicitly listed set of specific pages requiring Admin role in a separate security constraint. The intention of course is for users without the Admin role to get 403s if they try to visit the latter pages.

This worked in 3.2.3, but since upgrading to 3.2.4, it seems that permissions are cumulative rather than subtractive. That is, since /* can be access by User role, nothing ever gets checked for Admin role.

Has something changed (perhaps in Tomcat 4 vs. 5)? Can I do what I want to do without expliciltly listing all pages in both categories?