tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohammad M. AbuZer" <m.abuze...@gmail.com>
Subject Re: Form Authentication vs. Tomcat Restart
Date Wed, 07 Dec 2011 15:23:10 GMT
It should serialize User and Principles nothing more, no need for password.

On Wed, Dec 7, 2011 at 4:12 PM, Konstantin Kolinko
<knst.kolinko@gmail.com>wrote:

> 2011/12/7 Jess Holle <jessh@ptc.com>:
> > I should have noted that this is with Tomcat 7.0.23, but it seemed
> unlikely
> > to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
> >
> > Of course given that I found that the documentation clearly states this
> > behavior, I suspect this is longstanding Tomcat behavior.
> >
> > My remaining question is /why/ Tomcat behaves this way.  If one quickly
> > restarts Tomcat for some reason and session data is preserved, you really
> > don't want all the users to have to login again do you?
> >
>
> I think there are a simple reason:
> The data contain user's password. You wouldn't want the password to be
> written to disk. It is safer if it is kept in memory only.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message