2011/12/7 Mohammad M. AbuZer <m.abuze...@gmail.com>: > It should serialize User and Principles nothing more, no need for password. > > On Wed, Dec 7, 2011 at 4:12 PM, Konstantin Kolinko > <knst.koli...@gmail.com>wrote: > >> 2011/12/7 Jess Holle <je...@ptc.com>: >> > I should have noted that this is with Tomcat 7.0.23, but it seemed >> unlikely >> > to be JVM (Java 6 Update 29) or OS (Windows 7) specific. >> > >> > Of course given that I found that the documentation clearly states this >> > behavior, I suspect this is longstanding Tomcat behavior. >> > >> > My remaining question is /why/ Tomcat behaves this way. If one quickly >> > restarts Tomcat for some reason and session data is preserved, you really >> > don't want all the users to have to login again do you? >> > >> >> I think there are a simple reason: >> The data contain user's password. You wouldn't want the password to be >> written to disk. It is safer if it is kept in memory only. >>
That depends on usage. Realm are used not only for Form authentication, but for other authentication protocols as well. Anyway if it is not implemented it likely means that nobody contributed an implementation of it. PS: Do not top-post. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
