Hey Tomcat Users, I've run into an interesting behavior with a custom JASPIC provider. When there is an existing session i.e. JSESSIONID cookie, It appears the groups/roles are not checked again... even when the new groups are provided in the client Subject (JASPIC's validate() ). When attempting stateless authentication via JWT/OAuth how can I ignore a previously set session for an individual request?
It appears to be based around equals() on my Principal object. I can make it so Principal's generated via stateless authentication protocols are never equal, but then I get a new session id in the response. I don't want a session id at all for this request Any ideas? Thanks, Mike