I was NOT able to reproduce the issue in [3.2.5 (build: CVSTag=JBoss_3_2_5 date=200406251954)]
I am able to reproduce the issue in [4.0.1sp1 (build: CVSTag=JBoss_4_0_1_SP1 date=200502160314)]
Downloading 4.0.2 right now - wll post the results.
A forwarded request does not go through the security stack so I don't expect that the request roles will have changed. A redirected reply will show the updated state as a new session will be required.
Thanks Scott! I have to say you are really on top of things, I see your posts all over these forums.
I am able to reproduce the intended behavior in 4.0.2 - the same as 4.0.1sp1.
Is this behavior specified in the newer servlet spec? Just wondering why the results were different in JBoss 3.2.5?
In any case upon using a response.redirect("/") as you suggest, the roles change.