Hi there,
in all recent Tomcat versions the standard session implementation
declares authentication related fields as 'transient', so both the
session's authType as well as it's authenticated Principal is not saved
and restored across restarts.
On those fields there is a comment that clearly describes that:
/**
* The authenticated Principal associated with this session, if any.
* <b>IMPLEMENTATION NOTE:</b> This object is <i>not</i> saved and
* restored across session serializations!
*/
protected transient Principal principal = null;
However, the comment does not say WHY that information is omitted from
serialization.
It's fine to have session data persisted across restarts, however,
currently, a session is no longer authenticated after a restart (at
least with form login, with which credentials are not sent with every
request).
Actually, at least for my mind, that draws session persistence quite
useless, because, after a restart, the client must re-login prior to use
any resources having a security constraint.
That may be a security thing, but if, for example, passwords stored in
the GenericPrincipal instance are not serialized, I don't see a security
problem with persisting the session's principal.
Do you have any ideas on that or do you know how to work around this?
Tomcat restarts are required from time to time. But it's really a bad
idea to kick out all currently logged-in users just because Tomcat needs
to be reconfigured, for example.
Regards Carsten
--
Carsten Klein
Lead Software Engineer
DataGis GmbH
Johann-Strauß-Str. 26
70794 Filderstadt
T +49 7158 9490-106
F +49 7158 9490-111
E-Mail: c.kl...@datagis.com
Internet: www.datagis.com
Registergericht: Amtsgericht Stuttgart, HRB 225945
Geschäftsführung: Dr. Gunter Hahn, Markus Ruess, Carsten Klein
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
