2 Replies Latest reply on Mar 5, 2003 11:28 AM by kenkyee

    getUserPrincipal returns null on non-secured pages

    pbkwee

      I have a security-constraint covering a directory on my WAR file.

      I have the j_security_check form login working so that I need to login to see pages in that directory. And those pages show my identify (request.getUserPrincipal().getName())

      However, if I then navigate to a non-secured page, request.getUserPrincipal() returns null.

      Is this the correct behaviour? Or does this smell like a config problem at my end?

      Regards, Peter

        • 1. Re: getUserPrincipal returns null on non-secured pages

          > However, if I then navigate to a non-secured page,
          > request.getUserPrincipal() returns null.
          >
          > Is this the correct behaviour?

          Yes, it is.

          Peter.

          • 2. sadly, it is

            If you look at the Apache FAQ, you'll see why. Even w/ Apache, getRemoteUser() is only valid on protected/restricted pages. Ditto the roles.

            This prevents you from doing stuff like "show admin links only if user has Admin role" from the home page of a site using only container-managed security. You have to read out the userroles and stick them in the session and manage roles yourself on non-restricted pages. Yucko.