There is nothing wrong with basic auth in JBoss-3.2.2RC4_Tomcat-4.1.27. It sounds like the app is expecting there to be a valid user on non-secured pages and the caching that is required to achive this is disabled in the embedded
version because it breaks the ability to transmit the caller credentials
from servlets to ejbs. There is no spec mandate that the caller identity is
available within a session from unsecured pages.
Scott,
Here's a comment Simon Brown made. I'm passing it to the jboss-user list:
True, the spec may not explicitly mandate this, but section SRV.12.3 Programmatic Security (servlets 2.3) says the following:
If no user has been authenticated, the getRemoteUser method returns null, the isUserInRole method always returns false, and the getUserPrincipal method returns null.
Clearly this is in contrast because this statement doesn't differentiate protected and unprotected resources. The javadoc of the relevant methods in HttpServletRequest also makes no differentiation between protected and unprotected resources, instead being specific about whether the current user has been authenticated. With our problem, the current user has been authenticated.
-- Weiqi Gao [EMAIL PROTECTED] http://www.weiqigao.com
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ JBoss-Development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
