> I don't understand what you mean here. If you want tomcat to authenticate, and > the userid is passed in, your code doesn't call setUserPrincipal.
If you want Tomcat to authenticate, you set 'tomcatAuthentication' to true (that's the default), in which case the connector will always set the user pricipal to null, regardless of what was set by the connector. > When the userid passed in is the empty string (not null) and you don't want > Tomcat authentication, your code will set the user principal to an > Ajp13Principal wrapping the empty string and Tomcat will generate the access > denied (403) error when the user hits the page through the connector since the > user principal will not be null, but will also be an invalid empty string > userid. If you don't want Tomcat to authenticate, you set 'tomcatAuthentication' to false, and the fact of whether or not the pricipal is valid is irrelevant, since Tomcat is never supposed to authenticate in the first place. Note the (ajp.remoteUser() != null) which prevents calling toString on the possibly null field. I think I implemented what Nacho recommended (and which seems more consistent). Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>