either Tomcat or JBoss is my stumbling block

[jfc100 <jf...@btopenworld.com>]

Hi,

I am currently trying to design a webapp using opensource containers 
which implement the latest specs. This means tomcat403(for servlets2.3 
and jsp1.2) and jboss300(for ejb2.0).

During an upgrade to both of the containers implementing these specs, I 
experience an anomally which has to do with the servlet container not 
remembering an authenticated user unless he has requested a secured web 
resource (i.e. the request method getUserPrincipal() returns null when 
he has requested an unsecured web resource). I am using form-based 
authentication aka j_security_check.

At the moment the highest I can go before I lose either spec is the 
following:

jb241a+tc323    =    ok!
jb243+tc40    =    ok!
jb244+tc323    =    ok!

jb244+tc40    =    bad! (using the same tc40 as above!);
jb245+tc40    =    bad! (using the same tc40 as above!);

jb243+tc401    =    starts up ok but I didn't get far enough to test 
(get http status 403 - access to requested resource denied when 
accessing a secured resource);
jb243+tc403    =     (same as above)
jb244+tc331    =    (didn't get far enough to test)
jb244+tc324    =    (couldn't test due to classpath problem I have yet 
to resolve - only in this bundle, tho');

I've spent ages on this trial and error approach but I'm still really 
stuck with this -  I want to proceed using servlets2.3 and jsp1.2 but 
not at the expense of ejb2.0 and vice versa.

*Please* could someone let me know whether this is a tomcat problem (I 
will ask again on the jboss forum). I heard on the struts mailing list 
that this problem is occurring on someone's websphere containers too so 
that could be a real spanner.

Also I noticed that the form-based auth valve is only being called for 
secured resources - is this intended?
 
Thanks
Joe
(should this go to tomcat-dev, perhaps?)


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>