-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Omar,
Omar Nafees wrote: > 1) request.getRemoteUser() only works on the "entry-point" servlet (e.g. > index.jsp) - it doesn't work if you forward immediately to another page. > It seems strange that Tomcat doesn't keep remote user around for later > use and forces me to keep it around explicitly in some form (such as a > hidden POST parameter). This doesn't sound right; getRemoteUser should return the REMOTE_USER each time, regardless of which request it is. > 2) The above is assuming SSL is turned off for my application. The > minute I turn it on in it's security constraint (in web.xml) You cannot "turn on" SSL in web.xml; all you can do is require that SSL be used in order for security to work. Since you're using mod_jk, you won't be able to use CONFIDENTIAL as a security constraint, since mod_jk doesn't communicate using a CONFIDENTIAL channel. > request.getRemoteUser() only returns null. Is there a particular setting > in security constraint or elsewhere to achieve the desired behavior? I believe you are making a mistake by using CONFIDENTIAL in web.xml, and Tomcat is reacting correctly by refusing to accept the remote user as furnished by mod_jk because it is not being sent over SSL. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1InC9CaO5/Lv0PARAqkcAJwMsTd5dGvxmer7u8nhXICXmz2JoQCdHrL6 VjheIXl2zzd21ob1/mkUfRk= =NXlX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]