Re: Persist authenticated sessions across tomcat restarts

Tue, 31 Jul 2018 04:31:24 -0700 

Am 30.07.2018 17:57, schrieb Tim K:

On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Am 27.07.2018 13:36, schrieb Tim K:
> Hello,
>
> I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live
> servers: linux).
>
> I have successfully created a custom JAAS authentication, which works
> just
> fine.
>
> I have SSO enabled at the moment, but not sure if I really need it.
>
> I left the default StandardManager config in place, I do see
> the SESSIONS.ser get created upon a shutdown and I see it get removed
> upon
> startup, so I'm assuming it's reading it in...
>
> I'm expecting that once a user authenticates with the JAAS module one
> time,
> and has a valid session, if I restart tomcat on the backend, that user
> will
> NOT need to re-authenticate, but it appears to be kicking them back to
> the
> login screen after the restart, and it's not accepting their JSESSIONID
> cookie value, it's giving them a new one upon hitting a secured
> resource.
>
> From what I've read, I believe that JAAS can cache an authenticated
> session, but it doesn't appear to be working for me.  Is there
> something
> I'm missing?  Also, I'm using form-login.

Are your Principal classes serializable?
Do you see any Exceptions in the log files when you restart Tomcat?

Regards,
  Felix

>
> Thank you,
>
> Tim




No exceptions in log.  And it doesn't work even when I don't store
anything within the session.
I have digged deeper now and it seems that the principal object is removed from the session before it is persisted. 

In StandardSession.java you can find the following comment:

 /**
   * The authenticated Principal associated with this session, if any.
   * <b>IMPLEMENTATION NOTE:</b>  This object is <i>not</i> saved and
   * restored across session serializations!
   */
 protected transient Principal principal = null;


This variable stores the authenticated user.

Regards,
 Felix

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to