
I am experiencing the exact same problem. Here is my post to the struts list:

>Has anyone encountered the following situation using form-based auth in catalina?
>1. login successfully using 'j_security_check';
>2. the next request happens to be to an unsecured url (e.g. /do/frontpage
>(with no restrictions in web.xml) --> DispatchServlet --> user.frontpage
>(tiles)) ; 
>3. the request methods 'getUserPrincipal()', 'isUserInRole()'
>and 'getRemoteUser()' tell me the user is not logged in (in DispatchServlet)! 
> (I'm using jboss244+tomcat401, struts1.0, tiles)
>I heard this might be an issue with jboss.
>Can anyone confirm?
>>I don't know how JBoss behaves, but this is exactly
>>how WebSphere behaves.
>>                              -TP
I have found the same using jb241a+tc323 as well as jb300RC2+tc403.

I started looking at the tomcat code but I'm not sure I want to commit the time it may 
take to understand the intricacies when someone 
else may well have an answer.

I'd like to know whether this is worth pursuing or if perhaps it is better to 
sacrifice the declarative model for a role-your-own approach.


>From: Erwin Teseling 
>Subject:  Loosing identify when switching to non-protected webresource
>Date:  Thu, 21 Feb 2002 15:57:12 +0100
>I am using the combination of Tomcat/Jboss and am having problems
>using webcontainer security (using j_security_check).
>I have some resource protected in my web.xml (using <security-
>tag). Now when I try to acces this resource Tomcat presents me my
>loginform and validates my identify. If this is correct I will gain
>access to the secured resource. So far so good.
>Now I have a custom tag that verifies the role in which I am to
>some pages differently. My tag nicely detects the users identity
>getUserPrincipal() method). Now when I go to a non-secured jsp-page,
>tag returns null on getUserPrincipal?!?! When I switch to a secured
>jsp-page it does work and I receive the correct identity. I have the
>same behaviour in servlets.
>I was not expecting this behaviour and I really need to be able to
>determine the identity on these non-secured resources (both servlets
>jsp). It there a setting that makes Tomcat behave in this way and is
>there a way to change this behaviour.

To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to