The answers are "yes" and "yes". You can determine the user's "logged-in-ness" with a call to "request.getRemoteUser()", which should return "null" if he is not and his name (login) otherwise. This should always be the case, regardless of the currently requested resource having a security-constraint or nor, but of course a login will only be demanded if it has such a constraint.
If you experience different behaviour, I will surely be interested to learn about it. Andreas Mohrig -----Original Message----- From: jfc [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 1:26 PM To: [EMAIL PROTECTED] Subject: tomcat4 + declarative security Hi, I have two questions regarding declarative security ( I use JBoss2.4.x+Tomcat4.0 + struts1.1, on suse linux7.2 - ): 1. Is tomcat 4 supposed to be able to distinguish previously authenticated users from unauthenticated users? I assumed the answer to this question is yes because otherwise the user would have to undergo the entire authentication process repeatedly for each request that he submits within a single session. 2. Is tomcat 4 supposed to be able to do the above (i.e. remember a user's logged-in-ness) regardless of whether his current request was to a secured resource? (again assume requests are within the same session). cheers jfc -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
