I've observed that HttpServletRequest.isUserInRole() always returns false (regardless of the argument given) when called from an unsecured resource, even if the user has already been authenticated during the session. Similarly, getUserPrincipal() always returns null under these circumstances.
I've seen several posts regarding this topic, and I'm curious if the JBoss development team is convinced that it works correctly. I think it's pretty clear from the servlet spec that once a user is authenticated, these methods should reflect this. I didn't see any exclusions regarding unsecured pages. And if there is any doubt, you can always check the reference implementation -- Tomcat 4.1.29 standalone returns the same values for these functions regardless of whether invoked in the context of a secured or unsecured page. In fact, I've never seen another servlet container that handles this the way JBoss does. The JBoss behavior is problematic for any web app that tailors the content of unsecured pages depending on the authenticated role of the user. For instance, you may want a JSP to omit links to secured resources on a page if the viewer is not authorized to access them anyway. Has this issue been reviewed by the development team, and is any action planned? Huck <a href="http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827323#3827323";>View the original post</a> <a href="http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3827323>Reply to the post</a> ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
