Has anyone had a problem with embedded Tomcat in which it temporarily forgets the authentication information of a logged-in user? I am running JBoss 3.0 beta with Tomcat 4.0.2 and am using container-managed security. The following happens:

User A goes to a protected section of the web site. Tomcat asks him to log in. He enters a valid username and password. Tomcat takes him to the page he requested. If the application invokes request.getRemoteUser(), it returns the username of User A.

Now User A goes to an unprotected section of the site without logging out. If the application invokes request.getRemoteUser(), the container returns null.

User A returns to a protected page. He is not asked to log in because Tomcat remembers that he has logged in. If the application invokes request.getRemoteUser(), all is well and the username is returned just fine.

Does anyone know why this behavior occurs? How do I get the username when User A, who is logged in, visits an unprotected page?