DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34549>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34549 Summary: isUserInRole() on non-secure pages Product: Tomcat 5 Version: 5.5.9 Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Tomcat 5.5.9. I have two JSPs: /a.jsp and /secure/b.jsp Deployment descriptor (related parts): <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/security/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>AGENT</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Web Portal Authentification Realm</realm-name> </login-config> <security-role> <role-name>AGENT</role-name> </security-role> <!-- End of DD --> In the body of each web page I have the following scriptlet: <%=request.isUserInRole("AGENT")%> I access web pages using the following two scenarios: ======================== Scenario 1 (correct behaviour): Action [Result] 1) /a.jsp [page a is displayed, scriptlet outputs "false"] - Correct 2) /security/b.jsp [authorization request, I supply credentials of the user which is has AGENT Role; page b is displayed, scriptlet outputs "true"] - Correct 3) /a.jsp [same as 1)] - Correct ======================== Scenario 2 (step 2 produces incorrect output): 1) /security/b.jsp [authorization request, I supply credentials of the user which has AGENT Role; page b is displayed, scriptlet outputs "true"] 2) /a.jsp [page a is displayed, scriptlet outputs "false", both request.getUserPrincipal() and request.getRemoteUser() give "null"] - WRONG 3) /security/b.jsp [page b is displayed, scriptlet outputs "true"] - Correct 4) /a.jsp [page a is displayed, scriptlet outputs "true"] - Correct. Note: I instruct browsers not to cache pages by including the following scriptlet at the beginning of both pages /a.jsp and /security/b.jsp: <% response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); %> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]