Hi Jack, The current Subject implementation (DelegatingSubject) isAuthenticated() implementation assumes that your Subject instances are very short lived - i.e. they are created and destroyed per request (it initializes the 'authenticated' boolean in the constructor - not by checking the session).
Do you use long-lived Subject instances? I.e. do you store them in static memory or in an HttpSession? Regards, Les On Tue, May 17, 2011 at 9:24 AM, juminoz <[email protected]> wrote: > Am I correct that the only way to check for session timeout is to actually > explicitly do something with the session object (i.e. call a method in > Session class)? I thought that isAuthenticated() method returns false when > user is either not authenticated or that the session has already timed out, > but that doesn't seem to be the case. If I don't place a logic to explicitly > check, my client still can do everything as if the session hasn't timed out. > > Thanks, > Jack
