We have successfully applied a security-constraint with basic authentication to "/*" which generates the expected login popup. After entering valid information, the user is theoretically authenticated, but the request.getRemoteUser() continues returning null.

When the security constraint is applied to a specific Login.jsp page that prints getRemoteUser(), the popup appears, and the page successfully prints it. Any subsequent pages again shows getRemoteUser() as null.

How can the authenticated user be applied to all pages?

Server Configuration:
O/S: Windows XP Pro SP2
App Server: JBoss 4.0.3SP1
Portal: JBoss Portal 2.2.1-GA

Application Configuration:
[web.xml]
<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>

<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>PortalUser</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyAuthentication</realm-name>
</login-config>

<security-role>
The role required to access restricted content
<role-name>PortalUser</role-name>
</security-role>


[login-config.xml]
<application-policy name="MyAuthentication">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
<module-option name="usersProperties">props/my-users.properties</module-option>
<module-option name="rolesProperties">props/my-roles.properties</module-option>
</login-module>

</application-policy>


[jboss-web.xml]
<jboss-web>
<security-domain>java:jaas/MyAuthentication</security-domain>
</jboss-web>