that is, what „transient“ means... -- Gruß burghard.britzke https://britzke.berlin/
> Am 31.07.2018 um 13:39 schrieb Tim K <tim.k.5...@gmail.com>: > > On Tue, Jul 31, 2018, 7:31 AM Felix Schumacher < > felix.schumac...@internetallee.de> wrote: > >> Am 30.07.2018 17:57, schrieb Tim K: >>> On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher < >>> felix.schumac...@internetallee.de> wrote: >>> >>>> Am 27.07.2018 13:36, schrieb Tim K: >>>>> Hello, >>>>> >>>>> I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live >>>>> servers: linux). >>>>> >>>>> I have successfully created a custom JAAS authentication, which works >>>>> just >>>>> fine. >>>>> >>>>> I have SSO enabled at the moment, but not sure if I really need it. >>>>> >>>>> I left the default StandardManager config in place, I do see >>>>> the SESSIONS.ser get created upon a shutdown and I see it get removed >>>>> upon >>>>> startup, so I'm assuming it's reading it in... >>>>> >>>>> I'm expecting that once a user authenticates with the JAAS module one >>>>> time, >>>>> and has a valid session, if I restart tomcat on the backend, that user >>>>> will >>>>> NOT need to re-authenticate, but it appears to be kicking them back to >>>>> the >>>>> login screen after the restart, and it's not accepting their >> JSESSIONID >>>>> cookie value, it's giving them a new one upon hitting a secured >>>>> resource. >>>>> >>>>> From what I've read, I believe that JAAS can cache an authenticated >>>>> session, but it doesn't appear to be working for me. Is there >>>>> something >>>>> I'm missing? Also, I'm using form-login. >>>> >>>> Are your Principal classes serializable? >>>> Do you see any Exceptions in the log files when you restart Tomcat? >>>> >>>> Regards, >>>> Felix >>>> >>>>> >>>>> Thank you, >>>>> >>>>> Tim >> >>> >>> No exceptions in log. And it doesn't work even when I don't store >>> anything within the session. >> >> I have digged deeper now and it seems that the principal object is >> removed from the session before it is persisted. >> >> In StandardSession.java you can find the following comment: >> >> /** >> * The authenticated Principal associated with this session, if any. >> * <b>IMPLEMENTATION NOTE:</b> This object is <i>not</i> saved and >> * restored across session serializations! >> */ >> protected transient Principal principal = null; >> >> >> This variable stores the authenticated user. >> >> Regards, >> Felix >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> So are you saying that persisting the authenticated session is not >> possible with tomcat?
signature.asc
Description: Message signed with OpenPGP
