Is there a reason why org.apache.catalina.realm.GenericPrincipal is always used to mask the true principal behind the authenticaion process within each realm?
Why does Tomcat limit the ability to provide a more complex Principal when HttpServletRequest.getUserPrincipal() is called? If anyone knows of any security risks by providing this more complex type (other than what the designer of the type introduces by faulty programming), I would like to hear them as well.... Randy Secrist
