You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/06/12 08:41:46 UTC

DO NOT REPLY [Bug 29537] New: - User's identity and roles only for protected url

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29537

User's identity and roles only for protected url

           Summary: User's identity and roles only for protected url
           Product: Tomcat 5
           Version: 5.0.25
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: ephemeris.lappis@tiscali.fr


It seems Tomcat only sets the request user's identity (getUserPrincipal) and 
authorizations (isUserInRole) when the requested URL has been protected by 
security constraints. For example, if in my webapp i have two parts with path 
beginning with 'public' or 'protected', and i set a constraint on the second 
one, any request for the 'protected/...' URLs gives the correct user and roles, 
while all the 'public/...' always return a null user and false for role 
checkings.
The same war deployed on Tomcat 4 and Weblogic 8 has the correct behaviour.
Is this a change from the new servlet specification, or a bug ?
Thanks for help.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org