I use the jboss3.0.3/tomcat4.1.12 bundle.
I protect my EJBs. In my realm I have set unauthorisedIdentity to 'nobody'. I give access to 'nobody' on all the methods on my EJBs that everybody should be able to invoke. It works fine.
I want to do the same in the web layer. That is: I want to make security-constraints to 'nobody' on thoose of my JSP pages that everybody should be able to access.
The web layer and EJB is using the same realm, and thus unauthorisedIdentity is also 'nobody' for my web layer realm. If I put security-constraint with access to 'nobody' around a JSP page that I want unauthorised users to be able to access, they will NOT be able. They will be led to the login-form, exactly as if they tried to access a page to wich they do not have access.
Why does my unauthorisedIdentity 'nobody' setup work in the EJB layer but not the web layer?