I have a site with a public and a protected area. The protected area has a security constraint set in web.xml. When the user wanders into the protected area he/she has to login using basic authentication. No problems so far. On the public pages I have a message that shows if the user is logged in or not. It uses the request.getRemoteUser(), but sometimes after a authentication has occured I still get null back from the method. This might have to do with servlet reloding or jsp recompiles, but when I navigate to the protected area I don't need to login again so the credentials set by the browser is still valid. Question: Is this a correct behavior? I can't count on the getRemoteUser() to return a user for a non protected area despite that the user has previously performed a login? /Magnus
