-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jon,
On 2/12/20 12:34 PM, Jonathan S. Fisher wrote: > So the manager would be this, I've noticed it uses the > StandardSession, which explicitly prevents serialization of the > user principal and auth type: > org.redisson.tomcat.RedissonSessionManager Thank you. > Two questions, on org.apache.catalina.Session, do the values > getNote and setNote replicate across the cluster by default? No, but it's important you understand that you don't have a "Tomcat cluster". You have whatever you get when you use RedissonSessionManager. I guess you could call it a "Redisson Cluster". A "Tomcat Cluster" does indeed transmit user Principals across the cluster to other nodes. the fact that Redisson isn't really a bug in Tomcat. > I'm curious if we could solve this whole thing with a valve that > copies the principal into the org.apache.catalina.Session or the > HttpSession. Possibly. > Next, Chris are you saying RedissonSessionManager should use their > own implementation of StandardSession that preserves the > principal? Not necessarily. But if Redisson is responsible for handling session data around your cluster, then it needs to actually do so. Note that packaging-up the whole session object and blasting it around to the other nodes isn't exactly recommended technique. That's why (a) you don't see StandardSession saving its Principal when it's serialized and (b) the DeltaManager/DeltaSession don't work this way. They are called "delta" because they send only the differences around to the other clusters. Redisson could certainly propagate user Principals around the cluster if it wanted to do so. Implementing it there would make much more sense than changing Tomcat's StandardSession serialization mechanism to include the Principal and then sending the whole session during every interaction. > I guess I never got the questions answered, why isn't this the > default behavior? It seems tomcat goes well out of its way to *not > serialize *the principal. I was wondering if there was a reason > for that. It might be surprising to find that your credentials are stored on the disk when you write a session there. This is a security consideration. If you want to get around that restriction, you have to work for it. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5EPZsACgkQHPApP6U8 pFgrvQ/8CWmo9UM6zpxJxnrr3FYJb1bPq5JymxPVjKJ7qQRi108DjUSsk5/GRKjC z1iXI9dn6UE3hbwQ9OGlzCmofJG7orHTS88h24PuswkpBa786NUIFmcAReIOsBKm Jy347p9blSkVMGBDd3CxQv2QddMO1vqdbvBBU1KdtH0/hhZxDYGW0lNcwN+8xhrh 6Z6jKXeTx/E2BYA6wM8sOTl6J+h0x/dzIEFPPqV7/R53RQzADw32cawzASJm8Gh7 dzn3NiokaRGPxLIIzV7+IETyUxOS3n1zxIObkPflxmCB2NBSiWCi15W89al9scdO uG17pvCkl2A/WSfyhUDreYqlx/45jiNYarKCR9vU6NKqZfJm1I+LW24zQK9543dd PfUbvVIl0JHrMjbVMNwql8QoH++oIjT+T8urW+d2BkdWLtsExicN3s6n4Ujwl5NO hX14hYw91Mma3BuTe0RfO06RapJnfmsS7GowJ0m+0SFe4mIoCuz1G/1CDDXhMsw2 frRsNd0MARSj4VjrdQtud1M2vdDpUti0O/oIDJ4amuB28kBkvPfmPsNWTtvqurJG JcTp6dv5JBziAie34yFUU5kDtTyI1t+gUuMDtEC3xrd0FCulrer3/zzv9uUDI/gA IqveymzQk1lgp64XFAaxyXvoZaFDCsQu0kQhTvFcJgiv4/vvOog= =MWhB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org