A WAR contains :-
I secure /cs/*,/jsp/*,/script/* with auth-method FORM
I use struts so we have /*.do to secure as well...
I hit my welcome file in /jsp and get challenged for my login. I login successfully. I get my welcome page with a valid UserPrincipal. I hit a link to /someAction.do?params, this Forwards me to another /jsp....I now have a null UserPrincipal.
To fix this I secure ONLY /* and everything works...
Surely I should not have got a null UserPrincipal on a secure page! Does a Forward act differently in some way?
DOH! DOH! I should have taken the 'Blue Pill'!!!
I'm sorry, I'm having a 'senior' moment!
You can't secure /*.do
For any other 'older' people...
When trying to secure Struts applications give your struts action path a prefix like '/action/some_do' then you can secure /action/*