On Tue, Jul 31, 2018, 7:42 AM Burghard Britzke <b...@charmides.in-berlin.de> wrote:
> that is, what „transient“ means... > -- > Gruß > burghard.britzke > https://britzke.berlin/ > > Am 31.07.2018 um 13:39 schrieb Tim K <tim.k.5...@gmail.com>: > > On Tue, Jul 31, 2018, 7:31 AM Felix Schumacher < > felix.schumac...@internetallee.de> wrote: > > Am 30.07.2018 17:57, schrieb Tim K: > > On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher < > felix.schumac...@internetallee.de> wrote: > > Am 27.07.2018 13:36, schrieb Tim K: > > Hello, > > I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live > servers: linux). > > I have successfully created a custom JAAS authentication, which works > just > fine. > > I have SSO enabled at the moment, but not sure if I really need it. > > I left the default StandardManager config in place, I do see > the SESSIONS.ser get created upon a shutdown and I see it get removed > upon > startup, so I'm assuming it's reading it in... > > I'm expecting that once a user authenticates with the JAAS module one > time, > and has a valid session, if I restart tomcat on the backend, that user > will > NOT need to re-authenticate, but it appears to be kicking them back to > the > login screen after the restart, and it's not accepting their > > JSESSIONID > > cookie value, it's giving them a new one upon hitting a secured > resource. > > From what I've read, I believe that JAAS can cache an authenticated > session, but it doesn't appear to be working for me. Is there > something > I'm missing? Also, I'm using form-login. > > > Are your Principal classes serializable? > Do you see any Exceptions in the log files when you restart Tomcat? > > Regards, > Felix > > > Thank you, > > Tim > > > > No exceptions in log. And it doesn't work even when I don't store > anything within the session. > > > I have digged deeper now and it seems that the principal object is > removed from the session before it is persisted. > > In StandardSession.java you can find the following comment: > > /** > * The authenticated Principal associated with this session, if any. > * <b>IMPLEMENTATION NOTE:</b> This object is <i>not</i> saved and > * restored across session serializations! > */ > protected transient Principal principal = null; > > > This variable stores the authenticated user. > > Regards, > Felix > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > <users-h...@tomcat.apache.org> > > > So are you saying that persisting the authenticated session is not > possible with tomcat? > > I stumbled upon this page: https://gist.github.com/tdakanalis/06d168925f80a72859cb It appears you can do it with some customization.