tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Klein, Carsten" <>
Subject Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information
Date Thu, 28 Nov 2019 08:03:47 GMT
Hi there,

in all recent Tomcat versions the standard session implementation 
declares authentication related fields as 'transient', so both the 
session's authType as well as it's authenticated Principal is not saved 
and restored across restarts.

On those fields there is a comment that clearly describes that:

   * The authenticated Principal associated with this session, if any.
   * <b>IMPLEMENTATION NOTE:</b>  This object is <i>not</i> saved
   * restored across session serializations!
protected transient Principal principal = null;

However, the comment does not say WHY that information is omitted from 

It's fine to have session data persisted across restarts, however, 
currently, a session is no longer authenticated after a restart (at 
least with form login, with which credentials are not sent with every 

Actually, at least for my mind, that draws session persistence quite 
useless, because, after a restart, the client must re-login prior to use 
any resources having a security constraint.

That may be a security thing, but if, for example, passwords stored in 
the GenericPrincipal instance are not serialized, I don't see a security 
problem with persisting the session's principal.

Do you have any ideas on that or do you know how to work around this? 
Tomcat restarts are required from time to time. But it's really a bad 
idea to kick out all currently logged-in users just because Tomcat needs 
to be reconfigured, for example.

Regards Carsten


Carsten Klein
Lead Software Engineer

DataGis GmbH

Johann-Strauß-Str. 26
70794 Filderstadt

T +49 7158 9490-106
F +49 7158 9490-111


Registergericht: Amtsgericht Stuttgart, HRB 225945
Geschäftsführung: Dr. Gunter Hahn, Markus Ruess, Carsten Klein

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message