|Summary:||User's identity and roles only for protected url|
|Product:||Tomcat 5||Reporter:||Ephemeris Lappis <ephemeris.lappis>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Ephemeris Lappis 2004-06-12 06:41:45 UTC
It seems Tomcat only sets the request user's identity (getUserPrincipal) and authorizations (isUserInRole) when the requested URL has been protected by security constraints. For example, if in my webapp i have two parts with path beginning with 'public' or 'protected', and i set a constraint on the second one, any request for the 'protected/...' URLs gives the correct user and roles, while all the 'public/...' always return a null user and false for role checkings. The same war deployed on Tomcat 4 and Weblogic 8 has the correct behaviour. Is this a change from the new servlet specification, or a bug ? Thanks for help.