cklein05 opened a new pull request #247: Tomcat Session Manager w/ Authentication Persistence URL: https://github.com/apache/tomcat/pull/247 This enhancement adds a new attribute `persistAuthentication` to both `StandardManager` and `PersistentManager`. When set to `true`, sessions maintained by that manager do as well persist authentication information (if any) along with the session's base data and attributes, that is, fields `authType` and `principal` of the `StandardSession` class. Effectively, this adds _Authentication Persistence_ to Tomcat's _Session Persistence_ feature. As a result, sessions remain authenticated when being restored from disk after an application restart (with `StandardManager`) or when (for whatever reason) being _swapped in_ by `PersistentManager`. That could be quite useful when a session-based authentication mechanism is used (e.g. FORM authentication). Since an application must be restarted in order to apply configuration changes, preserving authentication during that time may help not to bother users by constantly requiring to re-enter credentials. This enhancement is primarily intended for smaller installations, for which the more powerful clustering feature with session and authentication replication seems being overdrawn. Indeed, this enhancement does not alter anything in, or interact with Tomcat's _High Availability_ capabilities (Clustering). Since storing the sessions's principal do disk may be considered a security risk in some cases, this new attribute defaults to `false`, which completely disables authentication persistence. This enhancement has already been discussed quite intensively on the tomcat-users mailing list: ['Enhancement: New option 'persistAuthentication' for session manager'](https://www.mail-archive.com/users@tomcat.apache.org/msg134167.html).
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
