timeout on form based security

2001-03-28 Thread simone cecchini 

dear colleagues,
i have noted that, when using form based security (tomcat 3.2.1), a kind of expiration 
is on: if i connect to a secured page (actually a servlet) and stay inactive for a 
while (not sure about the lapse) when i reload the page or try to connect to another 
resource, i have to re insert username and password.
am i right? which parameter have i to change to prevent tomcat to do this?
thanks,
simone

RE: timeout on form based security

2001-03-28 Thread simone cecchini 

At 09:05 3/28/01 -0500, you wrote:
 i have noted that, when using form based security (tomcat 
 3.2.1), a kind of expiration is on: if i connect to a secured 
 page (actually a servlet) and stay inactive for a while (not 
 sure about the lapse) when i reload the page or try to 
 connect to another resource, i have to re insert username and 
 password.
 am i right? which parameter have i to change to prevent 
 tomcat to do this?

Set your session timeout in your web.xml.  Or you can set the session
timeout in your jsp as well.


---
Michael Wentzel
Software Developer
Software As We Think - http://www.aswethink.com
mailto:[EMAIL PROTECTED]

- Punisher of those who cannot spell dumb!

thanks for your reply, but i am not using sessions any way. either this does not 
happen when i use simple basic authentication.
it seems that session management is turned on some way, when i use form based sec.
any hint?
simone

RE: timeout on form based security

2001-03-28 Thread simone cecchini 

At 09:35 3/28/01 -0500, you wrote:
 thanks for your reply, but i am not using sessions any way. 
 either this does not happen when i use simple basic authentication.
 it seems that session management is turned on some way, when 
 i use form based sec.
 any hint?

Not sure I understand what you mean by not using sessions? You mean
you never access any instances of HttpSession?

yes, this is what i mean.

  Did you do something
like get rid of(from server.xml):

RequestInterceptor
className="org.apache.tomcat.session.StandardSessionInterceptor" /

no, i haven't dared ;-)

To the best of my knowledge Tomcat does session management despite
whatever type of authentication you are using(correct me if I'm wrong
anyone...).

this is the answer i was looking for: by default, sessions are working under the hood.
the basic authorization is likely to be a bit more slack dealing with timeout, since 
the client just has to send correct authorization headers.

  I believe your servlet would work fine, as long as you
don't get an instance of HttpSession, if you removed the RequestInterceptor
for the Session Manager; but jsp pages will still have a problem.

Of course, this is all to the best of my knowledge...

thanks again for your answer.
btw: servlet specs  v2.2 do not describe the authentication scheme used by form based 
auth. where can i find a tomcat-based description of it?
simone
Anyone else have comments on this?


---
Michael Wentzel
Software Developer
Software As We Think - http://www.aswethink.com
mailto:[EMAIL PROTECTED]

- Punisher of those who cannot spell dumb!