When session is based on servlet container(such as tomcat),if the subject is authenticated，the session will contains AUTHENTICATED_SESSION_KEY and PRINCIPALS_SESSION_KEY。
When servlet container closed, it may will be persist session.
But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains AUTHENTICATED_SESSION_KEY info ,the PRINCIPALS_SESSION_KEY will be lost,
it means the subject is authenticated, but the subject does not has principal. If the user code is