This content has been marked as final.
Show 2 replies
-
1. Re: getUserPrincipal returns null on non-secured pages
petertje Mar 4, 2003 5:09 PM (in response to pbkwee)> However, if I then navigate to a non-secured page,
> request.getUserPrincipal() returns null.
>
> Is this the correct behaviour?
Yes, it is.
Peter. -
2. sadly, it is
kenkyee Mar 5, 2003 11:28 AM (in response to pbkwee)If you look at the Apache FAQ, you'll see why. Even w/ Apache, getRemoteUser() is only valid on protected/restricted pages. Ditto the roles.
This prevents you from doing stuff like "show admin links only if user has Admin role" from the home page of a site using only container-managed security. You have to read out the userroles and stick them in the session and manage roles yourself on non-restricted pages. Yucko.