Announcement Announcement Module
No announcement yet.
User is not prompted to authenticate after restarting the server Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • User is not prompted to authenticate after restarting the server

    Spring security has been used for our application. Spring security has been configured in bean declaration way (namespace configuration is not used as our app needs both basic and form based authentication).

    The problem is : I logged into the application, browsed few pages, and restarted the server(but didn't close the browser). After restarting the server I could successfully move to other pages. I am sure it is not the browser cache.

    Why does it happen like this ? Is this the default behavior ? How can I enforce the authentication after restarting the server ?

  • #2
    Without more information it's impossible to say. For example:

    What server are you using? Does it persist sessions so that they are still valid after a restart?
    Have you made any attempt to verify if you are using the same session?
    What type of authentication are you using? Are you using a type of authentication that is cached by the browser (e.g. Basic authentication)?
    Are you using remember-me authentication?
    Have you monitored the flow of requests between your browser and the server to work out whether a re-authentication is taking place automatically?
    And, of course, have you looked at the debug log to see what takes place when you request a secured resource after a restart? Is the user already authenicated or does the server generate an Access Denied first?


    • #3
      As Luke already mentioned it is hard to say.

      Tomcat for instance serializes the active session on server shutdown and deserializes them on startup. So as long as the session is valid it remains active (the behavior you are noticing).


      • #4
        Thanks Luke and Marten. Tomcat 6.0.x has been used in our project, as you correctly said it is tomcat which serializes sessions by default when it shutsdown. Updated context.xml as suggested by tomcat doc to change this default behaviour.

        Thanks Luke, your questions were very valid, but didn't analyze them as found that tomcat default settings causes this problem. Your questions made me to think that there are many options why this behavior occur.

        Thanks a lot.