Bug 29537 - User's identity and roles only for protected url
Summary: User's identity and roles only for protected url
Status: RESOLVED DUPLICATE of bug 12428
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.0.25
Hardware: Other other
: P3 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-12 06:41 UTC by Ephemeris Lappis
Modified: 2004-11-16 19:05 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ephemeris Lappis 2004-06-12 06:41:45 UTC 
It seems Tomcat only sets the request user's identity (getUserPrincipal) and 
authorizations (isUserInRole) when the requested URL has been protected by 
security constraints. For example, if in my webapp i have two parts with path 
beginning with 'public' or 'protected', and i set a constraint on the second 
one, any request for the 'protected/...' URLs gives the correct user and roles, 
while all the 'public/...' always return a null user and false for role 
checkings.
The same war deployed on Tomcat 4 and Weblogic 8 has the correct behaviour.
Is this a change from the new servlet specification, or a bug ?
Thanks for help.
Comment 1 Tim Funk 2004-06-12 16:22:41 UTC 

*** This bug has been marked as a duplicate of 12428 ***