ContextConfig#validateSecurityRoles emits three info log messages but the messages start with 'WARNING:'. This is quite irrtating. > contextConfig.role.auth=WARNING: Security role name {0} used in an <auth-constraint> without being defined in a <security-role> > contextConfig.role.link=WARNING: Security role name {0} used in a <role-link> without being defined in a <security-role> > contextConfig.role.runas=WARNING: Security role name {0} used in a <run-as> without being defined in a <security-role> Remove the warning and set the log level from info to warning.
Same applies for Tomcat 7 and 8.
Using a security role that is not defined in the web.xml is indicative of an error (e.g. a typo in a role name) and therefore the warnings are appropriate.
(In reply to Mark Thomas from comment #2) > Using a security role that is not defined in the web.xml is indicative of an > error (e.g. a typo in a role name) and therefore the warnings are > appropriate. But not with INFO log level. That's the point.
Sorry, juggling too many things and read the report too fast. Yes, I agree with the proposed change.
This has been fixed in trunk for 8.0.0-RC2 and 7.0.x for 7.0.43. It has been proposed for 6.0.x.
Fixed in 6.0.x for 6.0.38 onwards.