Hi!

I'd like to have a webapplication, with simple JSPs. I'd like to use e.g. request.getUserInRole("admin") to determine what details and links I should show. E.g. like as a simple forum page:
1) if user logged in, should see the "post message" link
2) if user is not logged in, should see the "please log in" link.

My problem is the if I use declarative web.xml web-resource-collection security-constraint to my forum-page.jsp everyone should log in to see this page, cannot bypass my form-login-config.

If I put it to a "sec/*" url-pattern, only under this dir returns the getUserPrincipal() or the getUserInRole(), but upper pages from this dir cannot see my logged in context. I don't know why is that??

So my question is how can I make a simple app which uses my form-login-config, with a container managed security, without using HttpSession attributes, for my whole app, not only to a secure dir?

I have tried using a statelessbean with method permissions, and configured my JAAS JNDI login-config for an unauthenticatedIdentity, with which I can make a default login. How can I change it to be a specific user? Unfortunately a web-resource-collection with a /LoginRedirector doesn't worked for me, it forgets again the specified user details.

So any help is warmly welcomed.

Regards,
Thomas