I'm seeing the principal as null on unsecured pages after I'm authenticated (using the usersrolesloginmodule).
I think this is a bug in Tomcat 4.1.24 (and possibly 4.1.12). It works in 4.0.6, but when you use tomcat 4.1.24 standalone I get a null behavior. I'm not sure what happens wrt apache.
No, it's not a bug, it is in the spec. Search the forums for more info, this is question that is often raised.
I am experiencing a similar problem. I login successfully and recieve an error message about a null principal. This message originates from the EJBs that my servlet tries to access. Pressing refresh in my browser a few times brings me to the right page and everything works fine. Why is the SecurityContext of my servlet not being propagated to the EJB layer right away? I am using JBoss 3.2.1 with integrated Tomcat.
Any suggestions or links to other resources would be appreciated.
form based login?
The problem wasn't really a problem at all.
This is what was happening. In the constructor of my Struts action, which was triggerd on demenad when a user requested the url mapped to that action, I created a login context that was linked to the client-login realm defined in my login-config.xml file. There was another logincontext in play when this was happening. This was the logincontext created by the servlet container when the user loged in, using form authentication. In my jbossweb.xml file I had the servlet container logging into the CitiHopeSecurityDomain. The two logincontexts created unpredictable results. By removing the login in the struts action and reshuffling the security settings in the ejb-jar.xml file I was able to get it to work.