I have two JSPs. One is secured using <security-constraint> and the other is not. I can login properly and correctly call getUserPrincipal and isUserInRole. If the authenticated user then goes to the unsecured page those methods do not work. getUserPrincipal returns null and isUserIonRole always returns false.
I would like to have personalization on the unsecured page if they happen to be authenticated when they visit that page. My first question is this, Is this the correct behavior that the Servlet spec defines? What is the recommended workaround for this problem? I am currently throwing information in the session, which does remain for the user. This example is run using the JBoss-3.0.3_Tomcat-4.1.12 release. I have not tried it under tomcat standalone because of the use of EJBs. Any help would be great. Ben Litchfield -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
