Hello, [ What I'm trying to do ] I'm trying to use container based authentication while having session persistence provided by a PersistentManager (with FileStore) with Tomcat 4.1.29 (running under Windows XP for development purposes).
[ What works ] Form-based authentication via a DataSourceRealm works fine. Persistence works fine as long as harmless objects such as strings are concerned: they appear happily in session-scope after a restart of tomcat. [ What does not work ] The user that has been logged in however is forced to log in again, this information seems to get lost during a restart. [ What I already tried ] Research in the web and in the archives did not give me a hint about what is going wrong. I looked up the documentation for org.apache.catalina.realm.GenericPrincipal (which stores the user information) and noticed that it is not serializable, i.e. it does not implement the java.io.Serializable interface. But being serializable is a prerequisite for beeing written to a FileStore (or any other store most probably). An attempt to patch this class to make it implement this interface has not been successfull because the GenericPrincipal objects hold references to the Realm, which is not serializable either (and for some good reasons, it seems). Am I just missing something or is this really a problem? Has anyone accomplished to have persistent sessions with this (or any other) setup and can give me a hint? I'm reluctant to use application based authentication both because of the work this would cause and because of the security issues involved. Any feedback would be greatly appreciated. Greetings, Andreas Mohrig
