Hi, I am currently trying to design a webapp using opensource containers which implement the latest specs. This means tomcat403(for servlets2.3 and jsp1.2) and jboss300(for ejb2.0).
During an upgrade to both of the containers implementing these specs, I experience an anomally which has to do with the servlet container not remembering an authenticated user unless he has requested a secured web resource (i.e. the request method getUserPrincipal() returns null when he has requested an unsecured web resource). I am using form-based authentication aka j_security_check. At the moment the highest I can go before I lose either spec is the following: jb241a+tc323 = ok! jb243+tc40 = ok! jb244+tc323 = ok! jb244+tc40 = bad! (using the same tc40 as above!); jb245+tc40 = bad! (using the same tc40 as above!); jb243+tc401 = starts up ok but I didn't get far enough to test (get http status 403 - access to requested resource denied when accessing a secured resource); jb243+tc403 = (same as above) jb244+tc331 = (didn't get far enough to test) jb244+tc324 = (couldn't test due to classpath problem I have yet to resolve - only in this bundle, tho'); I've spent ages on this trial and error approach but I'm still really stuck with this - I want to proceed using servlets2.3 and jsp1.2 but not at the expense of ejb2.0 and vice versa. *Please* could someone let me know whether this is a tomcat problem (I will ask again on the jboss forum). I heard on the struts mailing list that this problem is occurring on someone's websphere containers too so that could be a real spanner. Also I noticed that the form-based auth valve is only being called for secured resources - is this intended? Thanks Joe (should this go to tomcat-dev, perhaps?) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
