> Shouldn't the login window come on first before
> anything of the protected
> page is displayed?
yes. I presume you have an appropriate mapping of login id's to your administrator role.
what does your request uri look like? maybe it is being mapped outside of the protected space, prior to the access checks. for example, in Glassfish, the constraints are checked on the request uri, resulting from any welcome file mapping. in your case, maybe the uri that is being checked is not the one that you are entering (do to some welcome or jsf mapping).
by default, we don't log failed webresourcepermission checks, or it would be easy to see the permission checks and their results. one way to see what is being checked woul be to turn on FINE security login, and look at the access ontraol failure messages printed to the server.log. You should see checks of webuserdata and webresourcepermission objects.
I am alos not sure why you are seeing different behavior form different browsers, but maybe the browsers are acting differently wrt to resending the basic authenticator, on a subsequent session.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=279263