Nobody is paid to read these posts so the answer to your first question is no. It is based on people's willingness to provide answers voluntarily free of charge.
This implies two things:
1) formulate your question clearly and explain what you are trying to do, what version of JBoss you're running, which servlet engine you're using and what version of it. Are you trying to get the user principal from a secured web page or non-secured one for instance? There's a good guide on how to ask questions available here: http://catb.org/~esr/faqs/smart-questions.html
2) If you cannot find anyone willing to share their knowledge to you free of charge, the next logical step is to buy a support contract to get guaranteed answers. Especially if you expect answers within a couple of days.
A quick search reveals the following info related to your problem:
Actually, my first question was "Does anybody actually read these posts? ". Since you responded, the answer would be yes, not no :). I am well aware of what open source software entails, including the fact that support on forums is provided by people with a desire to help and not by people getting paid. Which I greatly appreciate. Was their something to be gained by pointing out the obvious? It is pointless to make assumptions about my knowledge or opinions.
Addressing point 1) I'm familiar with how to correctly formulate a question, but I suppose a review couldn't hurt. Thanks for the link. Here is a copy of the previous post (the one that I made 3 times):
If anybody has a working example of using getUserPrincipal() with JBoss3.2.1 would you mind replying with a zip/tar/whatever that includes your jboss-web.xml, login-config.xml, web.xml, and source code files for your HttpServlet (or the Action if you're using Struts) and LoginModule classes?
Considering the other posts I've seen, and help I've received from others, I think there's a bug in JBoss. So, with this post I'm trying to get somebody to either confirm or deny that, that way I know whether to just give up.
I did not bother asking for somebody to help me solve this problem since the solution is probably too complicated for somebody to help me resolve using a forum. A working example would be more than sufficient. What I'm trying to say is, I asked exactly what I wanted to ask in a very clear and concise manner.
Addressing point 2) I already did an exhaustive search of the JBoss archives looking for an answer, and came up with the same non-relevant postings that you did. My resource is protected, so none of those postings apply. If you're implying that I could have saved everybody time by simply doing a quick search myself, you've made an incorrect assumption.
My comment about buying a commercial app server, while born of frustration, isn't really impractical. The minimum support that you can buy from JBoss costs $10,000. Other application servers can be purchased for around the same amount, and they include a much richer set of documentation, and limited technical support. I'd be happy to pay A LOT more for decent JBoss documentation (I already have their All Docs subscription), but paying $10,000 to get a few simple questions asked seems a little absurd.
And finally, I apologize if you were offended by my post, but I carefully considered what I was writing, and I stand behind what I wrote. I posted the same thing 3 times with no response. It would be trivial for anybody who had gotten a non-null result to post the files I requested. Which led me to believe that either nobody has it working or nobody was reading these posts. I did not include the version (3.2.1) in this posting, which was definitely a mistake. Other than that I don't see any problems with what I wrote. Including the part where I question whether it makes sense to use an open source application server when the only solution to getting a 5 minute response is to pay $10,000.
I very much appreciate what JBoss is and does. It is absolutely fantastic that an open source product can reach the point that it has. However, it is still lacking in some areas and documentation is clearly one of them. This isn't a slight against JBoss, it's simply a fact that needs to be considered when deciding which app server should be deployed.
I appreciate that you took the time to respond and only regret that I am still without a solution to my problem.
If you think there's a bug in a recent version of JBoss or in the servlet container you're using (Tomcat?) then file it to SF bug tracker.
The previous bug report on this clearly indicates that accessing user principal from a secured resource does indeed work:
If I login (form-based, j_security_check style) in
order to access a protected resource (/restricted/*),
things go OK and I end up authenticated in the current
session - I can call HttpRequest.getUserPrincipal() OK.
If it does not work in a more recent version, then clearly it is a bug. Report it.
I can confirm that if a resource is secured, it does indeed get the user principal and roles back in the request to the servlet/JSP. When a resource is NOT secured (no roles specified) then it will currently get a NULL returned.
Whether this is what the application developer should expect is arguable ... I'm in the group that would argue that it should always return the userPrincipal and roles, hence allowing the application developer freedom to implement application level security themselves (e.g whether to present particular options to the user on a servlet response based on what permissions they have).
The workaround to the problem of this is to store the user principal in the HttpSession yourself when the user logs in, as well as the roles. This is wasteful, but is what app developers have to do to provide functionality to a user-base.
Would you mind posting your web.xml, jboss-web.xml and login-config.xml files?
Not sure of the relevance of web.xml, and jboss-web.xml files to this issue - userPrincipal and securityCredentials are all within the code. If you really want to see an example go to
http://www.ajsoft.net/Products/WebShop/ and you can download either the source or EAR's.