hi,

i want to use the LdapLoginModule, but not to get roles from ldap. The problem I have that while the user is authenticated fine, it fails to be authorized against the security constraints in web.xml.

i have a <security-constraint> with <web-resources-collections> i've tried not using <auth-constraint>, using an empty one and using one with an empty role. all fail

the strangest failure is when there are no roles in <auth-constraint> i get a message:
005-11-23 18:27:52,022 TRACE [JBossSecurityMgrRealm] (http-0.0.0.0-80-Processor2:) User: qrm is NOT authorized, requiredRoles=[], userRoles=[]

seems to me that if the requiredRoles are empty, the user should be authorized.

i'm using jboss 3.2.6

thanx,
ittay