I'm using Tomcat 6.2 and Spring MVC 2.5. I've noticed that, whilst a user is logged in I can restart Tomcat and the user is able to continue browsing without re-authenticating. This appears to be coming from Tomcat's ability to persist sessions across restarts.
It appears, however, that these p开发者_StackOverflow社区ersisted sessions do not make it back into the Spring session registry. When retrieving a user's session information from the session registry before the restart I get back information. Post a restart though the sesssion registry has no information on the user.
Have I missed some configuration that would allow Spring to restore these persisted Tomcat sessions after a restart? Failing that, is there a way to kick a user out of the web application without calling sessionInformation.expireNow()?
Try this configuration:
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
...
<property name="alwaysReauthenticate" value="true"/>
</bean>
Are the objects, you want persisted and then restored from the session, serializable?
精彩评论