Re-authentication forced after context reload

[Sasha Borodin <sa...@whoissasha.com>]

Howdy, trying to solve an issue before heading out for the weekend, any
insight would be greatly appreciated :-)

Re: Re-authentication forced after context reload

[Bill Barker <wb...@wilshire.com>]

"Sasha Borodin" <sa...@whoissasha.com> wrote in message
news:BB6C0BC7.BCC1%sasha@whoissasha.com...
> Howdy, trying to solve an issue before heading out for the weekend, any
> insight would be greatly appreciated :-)
>
> From my understanding of the CMA docs for Tomcat, a user's credentials are
> cached after login, and a user is authenticated until the session expires
> (FORM) or the browser is restarted (BASIC, etc.).  However, the docs don't
> mention the expected behavior if the container or individual context is
> reloaded.
>
> I'm using FORM-based login.  My sessions are set to expire after 30
minutes.
> Sessions are serialized.  But if I reload the context even before the
> session is expired, I'm redirected to my login page if I request any
> protected resources after the reload.
>
> The session is still valid, because I'm not assigned a different session
id
> - the same one is somehow "blessed" again.  I would think that since the
> docs state that "logged in" status is tied to the session, a user would
> remain logged in until the session expires or is invalidated.
>
> Is there a switch I'm missing to save the "logged in" status?  Or is this
> the designed behavior according to the Sevlet spec?

There is no switch that you are missing:  Tomcat refuses to save/restore the
logged in user from the Session.  It certainly isn't doing this because of
the Servlet spec (if anything, my reading of the spec suggests that it
should retain the user).  However, this is a grey area in the spec, so you
can't say that Tomcat is violating the spec either.

>
> Thank you very much,
>
> -Sasha