tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Persist authenticated sessions across tomcat restarts
Date Tue, 31 Jul 2018 11:30:51 GMT
Am 30.07.2018 17:57, schrieb Tim K:
> On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher <
> felix.schumacher@internetallee.de> wrote:
> 
>> Am 27.07.2018 13:36, schrieb Tim K:
>> > Hello,
>> >
>> > I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live
>> > servers: linux).
>> >
>> > I have successfully created a custom JAAS authentication, which works
>> > just
>> > fine.
>> >
>> > I have SSO enabled at the moment, but not sure if I really need it.
>> >
>> > I left the default StandardManager config in place, I do see
>> > the SESSIONS.ser get created upon a shutdown and I see it get removed
>> > upon
>> > startup, so I'm assuming it's reading it in...
>> >
>> > I'm expecting that once a user authenticates with the JAAS module one
>> > time,
>> > and has a valid session, if I restart tomcat on the backend, that user
>> > will
>> > NOT need to re-authenticate, but it appears to be kicking them back to
>> > the
>> > login screen after the restart, and it's not accepting their JSESSIONID
>> > cookie value, it's giving them a new one upon hitting a secured
>> > resource.
>> >
>> > From what I've read, I believe that JAAS can cache an authenticated
>> > session, but it doesn't appear to be working for me.  Is there
>> > something
>> > I'm missing?  Also, I'm using form-login.
>> 
>> Are your Principal classes serializable?
>> Do you see any Exceptions in the log files when you restart Tomcat?
>> 
>> Regards,
>>   Felix
>> 
>> >
>> > Thank you,
>> >
>> > Tim

> 
> No exceptions in log.  And it doesn't work even when I don't store
> anything within the session.

I have digged deeper now and it seems that the principal object is 
removed from the session before it is persisted.

In StandardSession.java you can find the following comment:

  /**
    * The authenticated Principal associated with this session, if any.
    * <b>IMPLEMENTATION NOTE:</b>  This object is <i>not</i> saved
and
    * restored across session serializations!
    */
  protected transient Principal principal = null;


This variable stores the authenticated user.

Regards,
  Felix

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message