User is not prompted to authenticate after restarting the server

Question

Spring security has been used for our application. Spring security has been configured in bean declaration way.

The problem is : I logged into the application, browsed few pages, and restarted the server(but didn't close the browser). After restarting the server I could successfully move to other pages. I am sure it is not the browser cache as I delete all the cookies before I start go through other pages.

Why does it happen like this ? Is this the default behavior ? How can I enforce the authentication after restarting the server ?

Answer 1

We use Tomcat 6, and it is the default behavior of the tomcat which serializes sessions before server shutdown and de-serializes next time the server is restarted thus it maintains the session.

If we don't want this default behavior then uncomment the 'Manager' element section in the context.xml.