I'm a bit confused by the scope for authentication. For purposes of discussion, assume that there is a sub-section of my web-app that is protected via: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>somerole</role-name> </auth-constraint> </security-constraint>
If a user successfully authenticates to access a resource in the 'Protected Area', and then subsequently requests a non-protected page, is the Container required to report (via request.getUserPrincipal/request.getRemoteUser) the authentication information that was used to access the 'Protected Area' for the request to the non-protected page? The remark in section 12.6 that the "servlet container is required to track authentication information at the container level" (except that this is qualified in the same sentence), and the remark in section 12.10 that a 'null' value for request.getUserPrincipal "indicates that a user is logged out", would seem to say that the user needs to be tracked for the entire web-app. However, I'm the first to admit to possibly reading more into this than was intended. I'm asking this, since at the moment Tomcat (and, therefore, presumably the J2EE RI) does not track user authentication for requests to non-authenticated pages. I'm hoping that this issue can be clarified in the final draft of the 2.4 spec.
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]