Ok, I understand now.
I tested the case through the connector where you do want tomcat authentication and the user principal is always set to null and everything worked fine with the /examples/jsp/security/protected/index.html example. I was able to login and logout as expected and see the user principal. Thanks for being so thorough. Also, when I looked today at the nightly builds for 4.0.2, I noticed that the tomcat-ajp.jar file had been broken up into multiple jar files. The build of tomcat-jk.jar from 2:42AM last night did not include the changes you checked in yesterday. When do the connector libraries used in tomcat 4.0.2 nightly builds get rebuilt? Jonathan ____________________Reply Separator____________________ Subject: Re: cvs commit: jakarta-tomcat-connectors/jk/java/org/apache Author: "Tomcat Developers List" <[EMAIL PROTECTED]> Date: 2/15/2002 3:07 PM > I don't understand what you mean here. If you want tomcat to authenticate, and > the userid is passed in, your code doesn't call setUserPrincipal. If you want Tomcat to authenticate, you set 'tomcatAuthentication' to true (that's the default), in which case the connector will always set the user pricipal to null, regardless of what was set by the connector. > When the userid passed in is the empty string (not null) and you don't want > Tomcat authentication, your code will set the user principal to an > Ajp13Principal wrapping the empty string and Tomcat will generate the access > denied (403) error when the user hits the page through the connector since the > user principal will not be null, but will also be an invalid empty string > userid. If you don't want Tomcat to authenticate, you set 'tomcatAuthentication' to false, and the fact of whether or not the pricipal is valid is irrelevant, since Tomcat is never supposed to authenticate in the first place. Note the (ajp.remoteUser() != null) which prevents calling toString on the possibly null field. I think I implemented what Nacho recommended (and which seems more consistent). Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> ************************************************************************ This email and any files transmitted with it are for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. This email message has been swept by a virus software product for the presence of computer viruses. ************************************************************************* -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>