I am currently trying to design a webapp using opensource containers which implement the latest specs. This means tomcat403(for servlets2.3 and jsp1.2) and jboss300(for ejb2.0).
During an upgrade to both of the containers implementing these specs, I experience an anomally which has to do with the servlet container not remembering an authenticated user unless he has requested a secured web resource (i.e. the request method getUserPrincipal() returns null when he has requested an unsecured web resource). I am using form-based authentication aka j_security_check - without calling any ejbs. I'm using the DatabaseServerLoginModule.
At the moment the highest I can go before I lose either spec is the following:
jb241a+tc323 = ok!
jb243+tc40 = ok!
jb244+tc323 = ok!
jb244+tc40 = bad! (using the same tc40 as above!);
jb245+tc40 = bad! (using the same tc40 as above!);
jb243+tc401 = starts up ok but I didn't get far enough to test (get http status 403 - access to requested resource denied when accessing a secured resource);
jb243+tc403 = (same as above)
jb244+tc331 = (didn't get far enough to test)
jb244+tc324 = (couldn't test due to classpath problem I have yet to resolve - only in this bundle, tho');
I've spent ages on this trial and error approach (I have posted other similar messages - and not only on this forum. struts-user and tomcat-user) but I'm still really stuck with this - I want to proceed using servlets2.3 and jsp1.2 but not at the expense of ejb2.0 and vice versa.
Please could someone let me know whether this is a jboss problem (I have asked again on the tomcat-user forum). I heard on the struts mailing list that this problem is occurring on someone's websphere containers too so that could be a real spanner.
Also I noticed that the form-based auth tc valve is only being called for secured resources(in the 'bad' versions) - does anyone know if this is intentional?
I know this message may be a little loaded but any feedback on this will be massively appreciated.
(should this go to jboss-dev, perhaps?)
ahhh ... sorry, this was meant for the security forum not installation - although it kind of applies anyway.