The tomcat-4.1.29 code shows that the FormAuthenticator.authenticate method calls the restoreRequest. The usecase you describe works fine for me with FORM based on using the jmx-console.war. I can login, wait for the session to expired and then click on a link such as http://localhost:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Atype%3DServerInfo
and after re-entering the login info, I am taken to the ServerInfo mbean inspector page.
If you look at line 211 in authenticate method where it says
// Have we authenticated this user before but have caching disabled?
In my case 'cache' variable is false and it always falls into the if block and then reauthenticates user, checks if principal is not null, calls register method and then returns true.
It don't see how it will ever reach the restoreRequest method call, which follows this block of code.
I guess if you cache the principal it will work, but otherwise not