HashSessionManager.resolveClass fails to restore sessions that contain arrays of objects loaded from the webcontext where it fails with a ClassNotFoundException.
This appears to be due to use of ClassLoader.loadClass which is not always able to decode serialization array syntax (e.g. "[Ljava.lang.Object"). There is a good description of the problem and solution here: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6500212
I patched my Jetty locally to change the following line in HashSessionManager.ClassLoadingObjectInputStream.resolveClass:586
to the following (as recommended by the bug link above):
return Class.forName(cl.getName(), false, Thread.currentThread().getContextClassLoader());
and the deserialization now works for me.
This issue manifests in Jdk 1.5 & 1.6 and is resolved by the suggested fix.