What security domain have you set up for your application? Is sounds as if you are accidentally using the "simple" domain which provides the behaviour you describe. From auth.conf:
// Very simple login module:
// any user name is accepted.
// password should either coincide with user name or be null,
// all users have role "guest",
// users with non-null password also have role "user"
I'm using a custom login module in my own defined domain. The login module seems to be working fine. In fact, the same code works in Joss-2.4.4_Tomcat-3.2.4-beta (which has other problems that prevent me from using it) so I don't think that is the issue.
I did finally get this to work. The page I was accessing in my web app was not secured, so Tomcat was not passing the user data with the request. Is this a bug or a feature? Other app servers I have deployed this application on (Orion and Weblogic) do not do this, and I haven't found any reference to this behavior in the spec. Any insights would be appreciated.
OK, so your custom login module has the unauthenticated identity set to "guest", is that what you were saying. Ignore my previoust post 'cos I was getting mixed up with roles and you were talking about principal names. When you said you were getting the "guest" principal I didn't realise you were using your own login module.
So you're saying that when an already logged in user loads an unsecured page and which calls an EJB, then the principal associated with the call is wrongly reported as the "unauthenticatedIdentity" specified in auth.conf? If so then I would say this was probably a bug, though why would you want to provide unsecured web access to a secured EJB?
Are you absolutely sure that the web request was made as part of a session in which the user was definitely logged in?
That is what was happening. In my application, the principal carries extra information that is needed to process requests in the EJB layer, so I need to know who is logged in during the session. On the other application servers I have deployed on, the principal is associated with all of the calls regardless of whether the EJB or JSP is secured.
This seems to make it even more sensible to secure the urls that allow you to access those EJBs - if you have to be logged in to use them then why expose those urls as unprotected?
In any case, I think the principal should always be set if someone has logged in. I don't know what the situation is in the latest releases.