Apr
7
Authentication not required across tomcat restart
We are using Spring security in our web application. During development, we observed that even after tomcat re-start, the session was retained, contrary to the user being redirected to the login screen.
The reason for this issue is that tomcat is persisting the http sessions across container restarts.
Tomcat support Restart Persistence, which is explained as under.
Whenever Catalina is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname attribute. All such saved sessions will then be de-serialized and activated (assuming they have not expired in the mean time) when the application reloads is completed.
The reason for this issue is that tomcat is persisting the http sessions across container restarts.
Tomcat support Restart Persistence, which is explained as under.
Whenever Catalina is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname attribute. All such saved sessions will then be de-serialized and activated (assuming they have not expired in the mean time) when the application reloads is completed.