It seems Tomcat only sets the request user's identity (getUserPrincipal) and authorizations (isUserInRole) when the requested URL has been protected by security constraints. For example, if in my webapp i have two parts with path beginning with 'public' or 'protected', and i set a constraint on the second one, any request for the 'protected/...' URLs gives the correct user and roles, while all the 'public/...' always return a null user and false for role checkings. The same war deployed on Tomcat 4 and Weblogic 8 has the correct behaviour. Is this a change from the new servlet specification, or a bug ? Thanks for help.
*** This bug has been marked as a duplicate of 12428 ***