On Tue, Jul 31, 2018, 7:31 AM Felix Schumacher < felix.schumac...@internetallee.de> wrote:
> Am 30.07.2018 17:57, schrieb Tim K: > > On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher < > > felix.schumac...@internetallee.de> wrote: > > > >> Am 27.07.2018 13:36, schrieb Tim K: > >> > Hello, > >> > > >> > I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live > >> > servers: linux). > >> > > >> > I have successfully created a custom JAAS authentication, which works > >> > just > >> > fine. > >> > > >> > I have SSO enabled at the moment, but not sure if I really need it. > >> > > >> > I left the default StandardManager config in place, I do see > >> > the SESSIONS.ser get created upon a shutdown and I see it get removed > >> > upon > >> > startup, so I'm assuming it's reading it in... > >> > > >> > I'm expecting that once a user authenticates with the JAAS module one > >> > time, > >> > and has a valid session, if I restart tomcat on the backend, that user > >> > will > >> > NOT need to re-authenticate, but it appears to be kicking them back to > >> > the > >> > login screen after the restart, and it's not accepting their > JSESSIONID > >> > cookie value, it's giving them a new one upon hitting a secured > >> > resource. > >> > > >> > From what I've read, I believe that JAAS can cache an authenticated > >> > session, but it doesn't appear to be working for me. Is there > >> > something > >> > I'm missing? Also, I'm using form-login. > >> > >> Are your Principal classes serializable? > >> Do you see any Exceptions in the log files when you restart Tomcat? > >> > >> Regards, > >> Felix > >> > >> > > >> > Thank you, > >> > > >> > Tim > > > > > No exceptions in log. And it doesn't work even when I don't store > > anything within the session. > > I have digged deeper now and it seems that the principal object is > removed from the session before it is persisted. > > In StandardSession.java you can find the following comment: > > /** > * The authenticated Principal associated with this session, if any. > * <b>IMPLEMENTATION NOTE:</b> This object is <i>not</i> saved and > * restored across session serializations! > */ > protected transient Principal principal = null; > > > This variable stores the authenticated user. > > Regards, > Felix > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > So are you saying that persisting the authenticated session is not > possible with tomcat?