Regardless, changes in the user roles made while a user is logged in do not take effect while that user is logged in, not for any Realm. This is for security reasons, since you would otherwise be changing the wheels while the car is driving and potentially creating temporary security loopholes.
Also, note that when you have 2 WARs with the same name in the Tomcat webapps directory (for example, abc.war and an abc directory in exploded WAR format), that the exploded WAR will be the one used, even if the war file is newer.
When you stop tomcat and restart it, it is possible that session information could be cached and restored when tomcat comes back up, so any time you're making changes to the web apps or security configuration and restarting Tomcat, it's a good idea to delete the files and directories under Tomcat's work and temp directories.
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Basic realm="Tomcat Manager Application"
response.setHeader("WWW-Authenticate", "Basic realm=\"Tomcat Manager Application\"");
response.setHeader("WWW-Authenticate", "DIGEST realm=\"TESTING\"");
Authorization: Digest username="pendell", realm="TESTING", nonce="", uri="/manager/html", response="6a453b0f0dbc4f0351b225e0e2aa4add"
Tim Moores wrote:Does the browser support DIGEST authentication? Is it sending a DIGEST authentication header wit the correct password hash?
Something like the Firefox extension LiveHTTPHeaders can help you with debugging that.