Ron,
You appear to be correct here. It looks like we have a bug in the implementation of our linkedconfiguration of the JACC provider.
We have 2 webapps. The first says that security is required for this app (e.g. returning false for policy.implies), but when we also checked the linked configuration, the second webapp appears be overriding the targetted webapp's decision:
Requested: (javax.security.jacc.WebResourcePermission /applications GET)
Specified: (javax.security.jacc.WebResourcePermission /)
Which apparently would tell the AccessController that security is not required.
I'll dig further into the linked config. It isn't something I've dealt with much, so perhaps there is a hidden bug in there to find.
Jason
[Message sent by forum member 'vinsonizer' (vinsonizer)]
http://forums.java.net/jive/thread.jspa?messageID=278774