I have a Java web application bundled as a WAR.
The application is deployed in jBoss 5.0.1.
For historical reasons I am unable to use the built in authentication & authorisation specified via web.xml. Primarily this is because it isn't possible to specify the URLs that should be protected using web.xml's "web-resource-collection" element - the secure pages are in a variety of locations. As such there is no 'security-constraint' element in the web.xml file.
I have a login servlet mounted at '/login' that uses jBoss' programmatic web authentication - this seems to work fine.
However, when I make subsequent requests during the same session (same JSESSIONID) calls to request.getUserPrincipal() return NULL. Stepping through the requests in the debugger I can see that the request's session is still valid and that the correct principal is associated.
How can I get request.getUserPrincipal() to return the principal attached to the session?