I'm using Tomcat 4.0.2 and noticed that the security attributes returned by
request.getRemoteUser(), request.isUserInRole("x"), and
request.getUserPrincipal() seem to only be present when the user is in a
protected directory, even if he has already logged in. That is to say, the
user can log in and go to a protected URL, and request.getRemoteUser() works
fine. If he then goes to a "common" area that is not protected by a
security-constraint block in web.xml, request.getRemoteUser() returns null.
If he then goes back to a different protected page, request.getRemoteUser()
returns the username again, so clearly Tomcat is storing the information.Does anyone know how to get access to the authentication information on a non-protected page after the user has logged in? I could set a session attribute right after login, but I figured that Tomcat already has the information, so it would be nice to not have to resort to a hack. -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
