In my last (long) email I described how adding a BASIC login-config changes things and the roles are no longer getting stripped when using login() (even when never triggering a basic prompt). I figured I'd use this as a workaround until I figure out what is really going wrong. However, now I've noticed there is another problem, which may or may not be related.
As described before, when I first login using login() and have BASIC configured it works as expected. I can hit a protected resources as many times as I want and it works fine and the roles remain intact. But then I'll logout (again, all asynchronously from the same page) which both invalidates the session and calls logout() on the request, try to hit the protected resource, and get denied as expected. But then when I login using the same mechanism that worked before it seems to all work, but I'm still denied access to the resource. If I login *again*, then it works fine. Investigating, after I do that login (which is failing) I can see it makes a principal available and creates a new session and I record the ID. I can see that session ID being sent in the cookies of the subsequent protected resource request which returns the 401. But when I do a logout I can pull the same session that was created, but now the principal is null, even though it existed when I logged in just moments before. So, instead of the roles being stripped as before, in this case the entire principal is being removed, but only when you login after an initial successful login, or maybe after a logout() call? I feel like I'm going crazy here. None of this is happening in tomat 8.0. It is all working as expected. This is a minimal test application with essentially a default tomcat config in both versions. Was anything (significant) changed to login() between tomcat 8.5 and 9 that could be related? Thanks- Robert