I think this is an open question to the dev list right now as it was recently
discussed. The quick summary (IIRC) is if you are logged in and request a
page which is not defined in web.xml as protected, the spec doesn't require
that the RemoteUser be set. (Which really sucks.)


-Tim

Jim Kennedy wrote:
> I have recently noticed that when you have a site with both protected and
> unprotected pages that getRemoteUser returns null on the unprotected pages
> eventhough I have authenticated against a protected page. isUserInRole also
> does not work.
>
> Is there a way I can determine who is logged in when I access an unprotected
> url?
>
> To answer my own Q, I supose I could create an object and store it in the
> session then access later, but is there another way?
>
>
> Ultimately I would like to present a dynamic menu in which administrators
> see a different menu than regular joe users. The menu is part of every page
> in this case. I would simple like to hide "admin only" sections so regular
> users don't see them.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)