I am using JBoss 3.2.5 with Tomcat 5. I am using integrated container-managed security, by way of a DatabaseServerLoginModule. Tomcat serves this by way of FORM-based security.
When Tomcat 5 persists sessions (e.g. when I re-deploy an EAR file), it appears that everyone's security credentials are lost (e.g. not persisted/reloaded). However, the rest of their "session attributes" are correctly persisted and reloaded. They get sent back to the FORM-based login page, and after logging in, their session is back where it was.
The desired functionality however, is for Tomcat to persist the security credentials too, so that users never experience any hiccup at all.
Can someone please tell me what I'm doing wrong?
I can only imagine its a problem because Tomcat stores the credentials after authentication using the internal catalina session.