rep by Matthew Schmidt: We're seeing an interesting bug here. Resin in its default configuration seems to do a deep initialization of any object that is being serialized after login with Spring Security. In our case, this happens to be a User object that has some lazy loaded lists of objects, which contains other lazy loaded lists. When we use the regular Java serialization for sessions, this is fine. When we use the default configuration is goes through and executes what appears to be thousands of queries as it tries to initialize everything. Is this the intended behavior?