You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jess Holle <je...@ptc.com> on 2011/12/07 00:12:02 UTC
Form Authentication vs. Tomcat Restart
When doing a graceful shutdown of Tomcat, the sessions are persisted to
disk and then re-read on startup (at least in all reasonably recent
versions).
Oddly, however, form-based authentication does not seem to survive a
graceful restart. Rather one has to log in again. Is this known?
Intentional? Configurable?
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form Authentication vs. Tomcat Restart
Posted by Jess Holle <je...@ptc.com>.
You get an error when that's what's occurring, though.
On 12/7/2011 12:55 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jess,
>
> On 12/6/11 6:17 PM, Jess Holle wrote:
>> Okay, I now notice this plainly stated in the documentation for
>> JNDIRealm (which I'm using):
>>
>> The cached user is *not* saved and restored across sessions
>> serialisations.
>>
>> That seems a bit odd...
> I wouldn't think that should be a problem: subsequent requests (after
> a restart) should re-create whatever data are necessary.
>
> We used to have this problem, and it turned out that we had a few
> objects in the session that were serializable yet still not
> un-serializable (because they didn't have no-arg constructors, for
> instance).
>
> Is it possible you are having a problem like that?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7ftpgACgkQ9CaO5/Lv0PAxJgCfW8G91XwwLTiUAXoYO16NCojL
> aNUAoLysh1BGs942flGrKpVv1i40AsPN
> =zzm/
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form Authentication vs. Tomcat Restart
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jess,
On 12/6/11 6:17 PM, Jess Holle wrote:
> Okay, I now notice this plainly stated in the documentation for
> JNDIRealm (which I'm using):
>
> The cached user is *not* saved and restored across sessions
> serialisations.
>
> That seems a bit odd...
I wouldn't think that should be a problem: subsequent requests (after
a restart) should re-create whatever data are necessary.
We used to have this problem, and it turned out that we had a few
objects in the session that were serializable yet still not
un-serializable (because they didn't have no-arg constructors, for
instance).
Is it possible you are having a problem like that?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7ftpgACgkQ9CaO5/Lv0PAxJgCfW8G91XwwLTiUAXoYO16NCojL
aNUAoLysh1BGs942flGrKpVv1i40AsPN
=zzm/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form Authentication vs. Tomcat Restart
Posted by Jess Holle <je...@ptc.com>.
Okay, I now notice this plainly stated in the documentation for
JNDIRealm (which I'm using):
The cached user is *not* saved and restored across sessions
serialisations.
That seems a bit odd...
On 12/6/2011 5:12 PM, Jess Holle wrote:
> When doing a graceful shutdown of Tomcat, the sessions are persisted
> to disk and then re-read on startup (at least in all reasonably recent
> versions).
>
> Oddly, however, form-based authentication does not seem to survive a
> graceful restart. Rather one has to log in again. Is this known?
> Intentional? Configurable?
>
> --
> Jess Holle
Re: Form Authentication vs. Tomcat Restart
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/12/7 Mohammad M. AbuZer <m....@gmail.com>:
> It should serialize User and Principles nothing more, no need for password.
>
> On Wed, Dec 7, 2011 at 4:12 PM, Konstantin Kolinko
> <kn...@gmail.com>wrote:
>
>> 2011/12/7 Jess Holle <je...@ptc.com>:
>> > I should have noted that this is with Tomcat 7.0.23, but it seemed
>> unlikely
>> > to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
>> >
>> > Of course given that I found that the documentation clearly states this
>> > behavior, I suspect this is longstanding Tomcat behavior.
>> >
>> > My remaining question is /why/ Tomcat behaves this way. If one quickly
>> > restarts Tomcat for some reason and session data is preserved, you really
>> > don't want all the users to have to login again do you?
>> >
>>
>> I think there are a simple reason:
>> The data contain user's password. You wouldn't want the password to be
>> written to disk. It is safer if it is kept in memory only.
>>
That depends on usage. Realm are used not only for Form
authentication, but for other authentication protocols as well.
Anyway if it is not implemented it likely means that nobody
contributed an implementation of it.
PS: Do not top-post.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form Authentication vs. Tomcat Restart
Posted by "Mohammad M. AbuZer" <m....@gmail.com>.
It should serialize User and Principles nothing more, no need for password.
On Wed, Dec 7, 2011 at 4:12 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2011/12/7 Jess Holle <je...@ptc.com>:
> > I should have noted that this is with Tomcat 7.0.23, but it seemed
> unlikely
> > to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
> >
> > Of course given that I found that the documentation clearly states this
> > behavior, I suspect this is longstanding Tomcat behavior.
> >
> > My remaining question is /why/ Tomcat behaves this way. If one quickly
> > restarts Tomcat for some reason and session data is preserved, you really
> > don't want all the users to have to login again do you?
> >
>
> I think there are a simple reason:
> The data contain user's password. You wouldn't want the password to be
> written to disk. It is safer if it is kept in memory only.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Form Authentication vs. Tomcat Restart
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/12/7 Jess Holle <je...@ptc.com>:
> I should have noted that this is with Tomcat 7.0.23, but it seemed unlikely
> to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
>
> Of course given that I found that the documentation clearly states this
> behavior, I suspect this is longstanding Tomcat behavior.
>
> My remaining question is /why/ Tomcat behaves this way. If one quickly
> restarts Tomcat for some reason and session data is preserved, you really
> don't want all the users to have to login again do you?
>
I think there are a simple reason:
The data contain user's password. You wouldn't want the password to be
written to disk. It is safer if it is kept in memory only.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form Authentication vs. Tomcat Restart
Posted by Jess Holle <je...@ptc.com>.
Yes, I now note this in the documentation.
The question remains, however: /why /does it work this way?
On 12/7/2011 6:34 AM, Mohammad M. AbuZer wrote:
> Tomcat does that for every all Form Authentication even if you used
> `DatabaseRealm` it doesn't save logged user.
>
> On Wed, Dec 7, 2011 at 2:24 PM, Jess Holle<je...@ptc.com> wrote:
>
>> I should have noted that this is with Tomcat 7.0.23, but it seemed
>> unlikely to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
>>
>> Of course given that I found that the documentation clearly states this
>> behavior, I suspect this is longstanding Tomcat behavior.
>>
>> My remaining question is /why/ Tomcat behaves this way. If one quickly
>> restarts Tomcat for some reason and session data is preserved, you really
>> don't want all the users to have to login again do you?
>>
>> --
>> Jess Holle
>>
>>
>> On 12/6/2011 7:05 PM, André Warnier wrote:
>>
>>> Jess Holle wrote:
>>>
>>>> When doing a graceful shutdown of Tomcat, the sessions are persisted to
>>>> disk and then re-read on startup (at least in all reasonably recent
>>>> versions).
>>>>
>>>> Oddly, however, form-based authentication does not seem to survive a
>>>> graceful restart. Rather one has to log in again. Is this known?
>>>> Intentional? Configurable?
>>>>
>>>> There should be a template for messages on this list :
>>> Tomcat version :
>>> Java version :
>>> platform OS& version :
>>>
>>>
>>> ------------------------------**------------------------------**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
Re: Form Authentication vs. Tomcat Restart
Posted by "Mohammad M. AbuZer" <m....@gmail.com>.
Tomcat does that for every all Form Authentication even if you used
`DatabaseRealm` it doesn't save logged user.
On Wed, Dec 7, 2011 at 2:24 PM, Jess Holle <je...@ptc.com> wrote:
> I should have noted that this is with Tomcat 7.0.23, but it seemed
> unlikely to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
>
> Of course given that I found that the documentation clearly states this
> behavior, I suspect this is longstanding Tomcat behavior.
>
> My remaining question is /why/ Tomcat behaves this way. If one quickly
> restarts Tomcat for some reason and session data is preserved, you really
> don't want all the users to have to login again do you?
>
> --
> Jess Holle
>
>
> On 12/6/2011 7:05 PM, André Warnier wrote:
>
>> Jess Holle wrote:
>>
>>> When doing a graceful shutdown of Tomcat, the sessions are persisted to
>>> disk and then re-read on startup (at least in all reasonably recent
>>> versions).
>>>
>>> Oddly, however, form-based authentication does not seem to survive a
>>> graceful restart. Rather one has to log in again. Is this known?
>>> Intentional? Configurable?
>>>
>>> There should be a template for messages on this list :
>>
>> Tomcat version :
>> Java version :
>> platform OS & version :
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
Re: Form Authentication vs. Tomcat Restart
Posted by Jess Holle <je...@ptc.com>.
I should have noted that this is with Tomcat 7.0.23, but it seemed
unlikely to be JVM (Java 6 Update 29) or OS (Windows 7) specific.
Of course given that I found that the documentation clearly states this
behavior, I suspect this is longstanding Tomcat behavior.
My remaining question is /why/ Tomcat behaves this way. If one quickly
restarts Tomcat for some reason and session data is preserved, you
really don't want all the users to have to login again do you?
--
Jess Holle
On 12/6/2011 7:05 PM, André Warnier wrote:
> Jess Holle wrote:
>> When doing a graceful shutdown of Tomcat, the sessions are persisted
>> to disk and then re-read on startup (at least in all reasonably
>> recent versions).
>>
>> Oddly, however, form-based authentication does not seem to survive a
>> graceful restart. Rather one has to log in again. Is this known?
>> Intentional? Configurable?
>>
> There should be a template for messages on this list :
>
> Tomcat version :
> Java version :
> platform OS & version :
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Form Authentication vs. Tomcat Restart
Posted by André Warnier <aw...@ice-sa.com>.
Jess Holle wrote:
> When doing a graceful shutdown of Tomcat, the sessions are persisted to
> disk and then re-read on startup (at least in all reasonably recent
> versions).
>
> Oddly, however, form-based authentication does not seem to survive a
> graceful restart. Rather one has to log in again. Is this known?
> Intentional? Configurable?
>
There should be a template for messages on this list :
Tomcat version :
Java version :
platform OS & version :
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org