I have some secured JSP's and some unsecured JSP's. When I login using FORM authentication the isUserInRole() works correctly on JSPs that are secured. It does not work on unsecured pages. The same is true for getUserPrincipal().

Is this really the correct behavior? I have a page that is insecure but would like to personalize it if the user is logged in.

I have tried this using tomcat and jetty and have gotten the same results.