4 Replies Latest reply on May 20, 2003 5:40 AM by Michael Hussey

    request.getUserPrincipal null after LoginContext.login()

    Michael Hussey Newbie

      I have a web application that is fully secured using security contraints in web.xml and security domain specified in jboss-web.xml. (I understand the jboss/tomcat specific behavior where urls not matching a security constraint null principal)

      That works for me until my code does a JAAS login (e.g. in a request subsequent to logging in with FORM based authentication). As soon as I do a loginContext.login(), then the request principal becomes null on subsequent requests.

      Weblogic provides a class specifically for authenticating in a servlet so that the request principal is updated correspondingly. How can I do the same on jboss/tomcat combo?

      Thanks in advance,
      Michael

      PS, I do not want to store user/pass in session because:

      1. Not secure
      2. Does not work with single sign-on