Issue Resolved --

This method is being called from a request dispatcher "include". The only instantiation of a DispatchedHttpServletRequest object that I could find is in the PortletRequestDispatcherImpl class, and only for the case of a JSP dispatcher "include".

Although the original request is made available to the DispatchedHttpServletRequest object, it does not make use of it to provide information such as the isUserInRole. The 2.2.1 code is the same as the 2.4 code.

SRV.8.3 "The Include Method" section of the 2.4 Servlet Specification states:
"The target servlet of the include method has access to all aspects of the request object,"

Based on this statement from the spec, I would think that a call to request.isUserInRole from the target servlet should return the same answer as the call to the original request object. The following section 8.3.1 states what must explicitly be included as request attributes, but it looks like this implementation ignores the 8.3 statement above and supplies only those things listed as "must be set".


It's probably irrelevant since I solved the problem by extracting the original request from the dispatched request by:

<%
RenderRequest renderRequest = (RenderRequest)
request.getAttribute("javax.portlet.request");

if ( renderRequest.isUserInRole( "rolename" ) ) { . . . }
%>

It's not an obvious answer, so I hope this helps others who run into the same problem.