DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29537>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29537 User's identity and roles only for protected url Summary: User's identity and roles only for protected url Product: Tomcat 5 Version: 5.0.25 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] It seems Tomcat only sets the request user's identity (getUserPrincipal) and authorizations (isUserInRole) when the requested URL has been protected by security constraints. For example, if in my webapp i have two parts with path beginning with 'public' or 'protected', and i set a constraint on the second one, any request for the 'protected/...' URLs gives the correct user and roles, while all the 'public/...' always return a null user and false for role checkings. The same war deployed on Tomcat 4 and Weblogic 8 has the correct behaviour. Is this a change from the new servlet specification, or a bug ? Thanks for help. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]