Hi you can read: org.apache.catalina.session.StandardSession#doReadObject
" principal = null; // Transient only " so all user related methods will return null I think it is for security reasons cause otherwise it would be not that hard to steal sessions Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-08-29 17:52 GMT+02:00 cocorossello <[email protected]>: > I have tried with tracking-mode, but still does not work. After the session > is serialized tomcat shows login page, giving me no chance to execute a > webFilter or whatever so I could just perform a request.login() with the > user and password. SessionListener won't work either as the session is not > really destroyed, I guess. > > > I'll try the same in a plain tomcat to see what's going on (or just give up > declarative security...) > > Best regards, > Vicente. > > > > -- > View this message in context: > http://tomee-openejb.979440.n4.nabble.com/Session-passivation-and-remote-user-tp4671464p4671473.html > Sent from the TomEE Users mailing list archive at Nabble.com.
