Hi Mark-
Thanks for the response.
> > * if the application is undeployed and redeployed (while the server
> >remains running) a new session is silently generated, and any contents
> >disappear, but the user maintains her authentication
>
> As expected. Redeploy (undeploy+deploy) != reload (stop+start)
This is a good point and why I sent the follow-up email. However, I'd
expect the undeploy+deploy to be the one to completely clean out and
invalidate the session, but the distinction isn't important for my
situation.
> > * if the server is shut down and restarted then everything seems to
> >disappear, as I then get a 403 when trying to access the protected page
>
> Expected behaviour here will depend on whether a server shutdown shuts
down Tomcat cleanly. From your description it sounds like it does not.
I just re-ran my test getting the same result, i.e., after a server restart
a previously accessible request now gives a 403. Looking at the logs, the
shutdown seems fine (i.e., nothing above INFO), and there were only a few
lines, but this one might be relevant:
INFO [localhost-startStop-2]
org.apache.catalina.core.ApplicationContext.log SessionListener:
contextDestroyed()
On subsequent startup there are a lot more logs, but one warning that
doesn't seem relevant:
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Server/Service/Engine/Realm/Realm/CredentialHandler}
Setting property 'keyLength' to '256' did not find a matching property.
But maybe it is? There was also this session relevant line:
INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log SessionListener:
contextInitialized()
So not sure what is going on. I'll see if I can figure out if that WARNING
is causing issues. Thanks for the guidance, but please let me know if
there's anything else I can look at.
Robert
