DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12516>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12516 form based auth / documentation Summary: form based auth / documentation Product: Tomcat 4 Version: 4.1.9 Platform: All URL: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm- howto.html OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The documentation for form based authentication states (Realm HOW-TO, under JDBCRealm): >>> # Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). Any changes to the database information for an already authenticated user will not be reflected until the next time that user logs on again. <<< So it looks like the principal is stored in the session, and that it is persisted between server reloads, however the sources state the following: StandardSession.java: /** * The authenticated Principal associated with this session, if any. * <b>IMPLEMENTATION NOTE:</b> This object is <i>not</i> saved and * restored across session serializations! */ private transient Principal principal = null; So for some reason the principal is not persisted (why??). Apparently the implementation is not going to change, so maybe the documentation could state this behavior more clearly. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
