I forgot to mention that I see this on jboss4.0_tomcat-4.1.18 and on the jboss-3.2.1_tomcat-4.1.24 bundle
Sorry the description of this problem is slightly incorrect. The principal is not set to null, but rather whatever the last login was, or null if URL didn't match up with any security constraints defined in web.xml.
I wrote a solution and would love it if you could make it or a derivation of it available on the mainline. This solution lets the Java code make the following static method available:
JBossServletAuthenticator.authenticate(String username, String credentials, HttpServletRequest request) throws FailedLoginException, LoginException
Instructions, source, and compiled class attached for anyone's usage.
Any developers on this forum? I hate to cross post to the developer forum to make the request official, but I really think that others would be interested in this solution.
Weblogic's API is quite nice: