Bug 29537

Summary: User's identity and roles only for protected url
Product: Tomcat 5 Reporter: Ephemeris Lappis <ephemeris.lappis>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P3    
Version: 5.0.25   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description Ephemeris Lappis 2004-06-12 06:41:45 UTC
It seems Tomcat only sets the request user's identity (getUserPrincipal) and 
authorizations (isUserInRole) when the requested URL has been protected by 
security constraints. For example, if in my webapp i have two parts with path 
beginning with 'public' or 'protected', and i set a constraint on the second 
one, any request for the 'protected/...' URLs gives the correct user and roles, 
while all the 'public/...' always return a null user and false for role 
The same war deployed on Tomcat 4 and Weblogic 8 has the correct behaviour.
Is this a change from the new servlet specification, or a bug ?
Thanks for help.
Comment 1 Tim Funk 2004-06-12 16:22:41 UTC

*** This bug has been marked as a duplicate of 12428 ***