In Tomcat you can use the PersistentManager in order to swap active (but idle) sessions out to a persistent storage mechanism, as well as to save all sessions across a normal restart of Tomcat. Moreover, the JAASRealm is an implementation of the Tomcat Realm interface that authenticates users through the Java Authentication & Authorization Service (JAAS) framework.
However, the problems start when the PersistentManager deserializes the persisted sessions but the built in JAAS authenticators are not able to find any user principal in those sessions and as a result the user is asked to provide their credentials. The cause of the problem is that as it has been documented in the org.apache.catalina.session.StandardSession class:
/**
* The authenticated Principal associated with this session, if any.
* <b>IMPLEMENTATION NOTE:</b> This object is <i>not</i> saved and
* restored across session serializations!
*/