Does anyone know if and where the source for the jboss.org site resides? The old site is in cvs, but I can't find the site.

I am asking because I see that the jboss site does what I need to do, and I can't a) figure it out or b) find anyone with the answers to my questions.

The jboss forums site allows a public user to view the forums, but then once logged in, the same pages exist but with extra fields available. Also, a cookie is set and then honoured when I return to the site (presumably authenticating my session)

It is obvious that in an unsecured web app or zone that a servlet calling request.getUserPrincipal() and request.getRemoteUser() returns null. In a secured zone, the principle user is set.

My core questions are:
a) I know I can set the unauthenticated principle in the ejb layer, but can I do the same for web layer?

b) if I secure the whole webapp and use roles to distinguish between public and private areas - how do allow the servlets/filters to be called before the j2ee security is fired?

c) how do I authenticate a returning user to the web site? (This is a derivitive of the previous two questions)