How to get serialized tomcat HttpSession to repopulate spring SessionRegistry

Question

I do the following:

1. login to my spring application (e.g. as user 'admin')
2. stop tomcat
3. Now I see the session being serialized into sessions.ser file
4. I restart tomcat
5. the sessions.ser file disappears (I guess it is being deserialized during server start?)
6. Now I send a request which requires a logged-in user (as done in step 1, i.e. I hit F5 in the browser where I was already logged-in before, so I guess the request sends along the jSessionId etc.)
7. When debugging, I can observe how spring successfully loads the SecurityContext in

HttpSessionSecurityContextRepository.readSecurityContextFromSession

with the stored Session-Information (it is a UsernamePasswordAuthenticationToken containing an Authentication object containing the Principal etc. thus getting the custom User object seems possible)

8. Spring accepts the request, i.e. there is no need to re-login and the appropiate response is sent

However, when trying to list the logged-in users using the SessionRegistry via

for (Object principal : sessionRegistry.getAllPrincipals()) {
            MyCustomUser myCustomUser = (MyCustomUser) principal;
            ClientQueryDetails client = clientQuery.getDetails(myCustomUser 
                    .getClientId()).get();
            List<SessionInformation> sessions = sessionRegistry.getAllSessions(
                    principal, false);
            for (SessionInformation sessionInformation : sessions) {
                result.add(new SessionInfo(client.getName(), myCustomUser 
                        .getUsername(), sessionInformation.getSessionId(),
                        sessionInformation.getLastRequest()));
            }
        }

as I normally do to visualize the users/sessions currently active, it is empty.

Why does Spring not add those Principals to the SessionRegistry in this moment? Can/Should I do it somehow manually?

I've read https://github.com/spring-projects/spring-security/issues/2062 which sounds like doing so would be a bad idea.

Also related seems Getting logged in users with sessionRegistry not work when manually authenticate

I've also found http://forum.spring.io/forum/spring-projects/web/71503-spring-not-restoring-persistent-sessions-to-session-registry

So to summarize my questions:

1. Why doesn't spring re-add the serialized session informations to the SessionRegistry?
2. Is querying the SessionRegistry in order to display all active Sessions to the user (i.e. the logged-in users) the correct way to do so? EDIT Yes, this is definitely the purpose of the SessionRegisty: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#list-authenticated-principals

3. Should I add the Principals manually to the SessionRegistry? EDIT https://github.com/spring-projects/spring-security/issues/2062 provides different ways of manually readding sessions to the SessionRegistry, however it seems there are some caveats in doing so.

4. Where and how exactely is the Session from sessions.ser being deserialized into and where does spring obtain it? Or in other words, how does the session-information get from the sessions.ser file into the SecurityContext of spring? Especially how is it "handed over" from tomcat to spring?

Answer 1

My solution to the problem of not seeing Sessions in the SessionRegistry but having valid Sessions (i.e. logged-in users) is, to simply delete the SESSIONS.ser File on Server restart.

As a consequence, all users have to login again, and the SessionRegistry is populated accordingly. Since I have no pressing need to keep the sessions alive this is a good solution for me.