Yes, you have it essentially correct. I included a copy of a Realm we use for one of our applications. The role is assigned by Tomcat when the user is logged in successfully. This role can be used to restrict access to screens by URL pattern. It probably can do other things too. I do not know how Oracle App Server does this and whether it is similar. Marc. <!-- Replace the above Realm with one of the following to get a Realm stored in a database and accessed via JDBC --> <!-- This will be used for ACSS application --> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@nnnn.twjconsulting.com:1521:dev" connectionName="acss" connectionPassword="xxx" userTable="acss_user" userNameCol="acss_username" userCredCol="password" userRoleTable="acss_user_role" roleNameCol="acss_role" /> -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of LeRoy Kemnitz Sent: Thursday, July 07, 2005 8:09 AM To: oracle-l Subject: JDBC Realm All- I am trying to figure how the JDBC Realm works in Tomcat and if Oracle App Server does something similar. I want to use Tomcat first to understand the authentication process and then move to the Oracle App Server. Correct me if I am wrong, how I understand it the JDBC Realm is just an environment where the usernames, passwords, and roles are kept in tables in the database that can 'home-grown'. In the App Server, the OID holds the usernames and passwords encrypted. The App Server can use the SSL to secure connections to connect as well. But how does the web browser session find out about the roles that the user has? I am new to the Java world so forgive me if this is way off base. LeRoy -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l