JAAS Session validator populates the Jetspeed User via the servlet.getUserPrincipal() call
When using this session validator, Authentication is delegated to the Application Server.
Recommend disabling all user login functionality via Jetspeed, and using your web.xml
to protect access to all Jetspeed resources (place after resource-ref or welcome-file-list:
Jetspeed SecurityProtected Area/*DELETEGETPOSTPUTuseradminBASICJetspeed BASIC Authenticationadminuserguest
Place the following the the servlet element where the Turbine servlet is defined:
useruseradminadminguestguest
Version:
$Id: JAASSessionValidator.java,v 1.3 2004/08/12 17:38:30 taylor Exp $