OK, I figured it out. In my web.xml, I had defined a security constraint to only apply to GET requests. Apparently (with Tomcat anyway), request.getUserPrincipal() will always return null if the resource is not part of security constraint. So, since GET was part of the constraint, getPrincipal would return a valid object, POST returned NULL.
Thanks for your help (if you intended to help)!~ AR. -----Original Message----- From: Rustad, Aaron Sent: October 18, 2003 9:40 AM To: '[EMAIL PROTECTED]' Subject: Strange Security Problem I am encountering a strange security problem when trying to submit a form to an action. This JSP is as follows: <%= request.getUserPrincipal().getName() %> <form action="/edm/ebb/upload.do" method="POST"> <table width="75%" border="1"> <tr> <td><bean:message key="upload.from"/></td> <td><input type="text" name="from"/></td> </tr> <tr> <td><bean:message key="upload.to"/></td> <td><input type="text" name="to"/></td> </tr> <tr> <td><bean:message key="upload.version"/></td> <td><input type="text" name="version"/></td> </tr> <tr> <td><bean:message key="upload.file"/></td> <td><input type="file" name="input-data"></td> </tr> </table> <input type="submit" value="Submit"/> </form> <html:link forward="ups">upload</html:link> The strange thing is this: When this page is loaded, and I am ligitimatly logged in, the name of the UserPrincipal is displayed as it should be. However, if I submit the form, the appropriate action class is called, but when I invoke request.getUserPrincipal()...it returns null. Notice the last line of the HTML, it has a link that points to the same action class...when it is clicked, the principal is propogated to action and it is NOT null. Can anyone help me out with this? I would like the post to work correctly. Thanks! Aaron. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]