I got the responsibility of maintaining a legacy web-application running on Tomcat 5.5.36 and using the *j_security_check* feature for user-authentication.
One problem scenario I am looking into: When you first start the browser and logon to the application, everything works OK.... The application receives the username from *request.getRemoteUser()* and looks up user-roles in config-tables, for exactly what each user is allowed to do in the GUI. *The problem is* when a user leaves the application inactive for an extended time (not clear yet exactly how long, but more than an hour) and then submits a form. It now appears that tomcat may have discarded the authentication-info, because of time-out I guess, and *request.getRemoteUser()* will return *null *, which result in a broken GUI-display. I would expect (prefer) Tomcat, in this case to request the login-credentials anew, before accessing the application, but for some reason it does not. For info, the *web.xml* under *{TOMCAT_HOME}/config* has ...<session-timeout>240</session-timeout>... while the *web.xml* in the application WAR-file has no session-timeout specified at all. What do I need to do to get Tomcat to always ask for login-credentials again, when needed, and make sure *request.getRemoteUser()* is never null when calling the application? Anyone has a clue?