tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Burghard Britzke <b...@charmides.in-berlin.de>
Subject Re: Persist authenticated sessions across tomcat restarts
Date Tue, 31 Jul 2018 11:42:25 GMT
that is, what „transient“ means...
--
Gruß
burghard.britzke
https://britzke.berlin/

> Am 31.07.2018 um 13:39 schrieb Tim K <tim.k.5967@gmail.com>:
> 
> On Tue, Jul 31, 2018, 7:31 AM Felix Schumacher <
> felix.schumacher@internetallee.de> wrote:
> 
>> Am 30.07.2018 17:57, schrieb Tim K:
>>> On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher <
>>> felix.schumacher@internetallee.de> wrote:
>>> 
>>>> Am 27.07.2018 13:36, schrieb Tim K:
>>>>> Hello,
>>>>> 
>>>>> I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live
>>>>> servers: linux).
>>>>> 
>>>>> I have successfully created a custom JAAS authentication, which works
>>>>> just
>>>>> fine.
>>>>> 
>>>>> I have SSO enabled at the moment, but not sure if I really need it.
>>>>> 
>>>>> I left the default StandardManager config in place, I do see
>>>>> the SESSIONS.ser get created upon a shutdown and I see it get removed
>>>>> upon
>>>>> startup, so I'm assuming it's reading it in...
>>>>> 
>>>>> I'm expecting that once a user authenticates with the JAAS module one
>>>>> time,
>>>>> and has a valid session, if I restart tomcat on the backend, that user
>>>>> will
>>>>> NOT need to re-authenticate, but it appears to be kicking them back to
>>>>> the
>>>>> login screen after the restart, and it's not accepting their
>> JSESSIONID
>>>>> cookie value, it's giving them a new one upon hitting a secured
>>>>> resource.
>>>>> 
>>>>> From what I've read, I believe that JAAS can cache an authenticated
>>>>> session, but it doesn't appear to be working for me.  Is there
>>>>> something
>>>>> I'm missing?  Also, I'm using form-login.
>>>> 
>>>> Are your Principal classes serializable?
>>>> Do you see any Exceptions in the log files when you restart Tomcat?
>>>> 
>>>> Regards,
>>>>  Felix
>>>> 
>>>>> 
>>>>> Thank you,
>>>>> 
>>>>> Tim
>> 
>>> 
>>> No exceptions in log.  And it doesn't work even when I don't store
>>> anything within the session.
>> 
>> I have digged deeper now and it seems that the principal object is
>> removed from the session before it is persisted.
>> 
>> In StandardSession.java you can find the following comment:
>> 
>>  /**
>>    * The authenticated Principal associated with this session, if any.
>>    * <b>IMPLEMENTATION NOTE:</b>  This object is <i>not</i>
saved and
>>    * restored across session serializations!
>>    */
>>  protected transient Principal principal = null;
>> 
>> 
>> This variable stores the authenticated user.
>> 
>> Regards,
>>  Felix
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
>> So are you saying that persisting the authenticated session is not
>> possible with tomcat?


Mime
View raw message