tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Form Authentication vs. Tomcat Restart
Date Wed, 07 Dec 2011 15:42:41 GMT
2011/12/7 Mohammad M. AbuZer <m.abuzer09@gmail.com>:
> It should serialize User and Principles nothing more, no need for password.
>
> On Wed, Dec 7, 2011 at 4:12 PM, Konstantin Kolinko
> <knst.kolinko@gmail.com>wrote:
>
>> 2011/12/7 Jess Holle <jessh@ptc.com>:
>> > I should have noted that this is with Tomcat 7.0.23, but it seemed
>> unlikely
>> > to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
>> >
>> > Of course given that I found that the documentation clearly states this
>> > behavior, I suspect this is longstanding Tomcat behavior.
>> >
>> > My remaining question is /why/ Tomcat behaves this way.  If one quickly
>> > restarts Tomcat for some reason and session data is preserved, you really
>> > don't want all the users to have to login again do you?
>> >
>>
>> I think there are a simple reason:
>> The data contain user's password. You wouldn't want the password to be
>> written to disk. It is safer if it is kept in memory only.
>>

That depends on usage. Realm are used not only for Form
authentication, but for other authentication protocols as well.

Anyway if it is not implemented it likely means that nobody
contributed an implementation of it.

PS: Do not top-post.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message