I did a simple test and it seems that the principal remains unchanged
after a session time out of 1 min
Object user1 = SecurityUtils.getSubject().getPrincipal();
logger.info("user1={}", user1);
try {
Thread.sleep(120000); // sleep for 2 min
} catch (InterruptedException e) {
e.printStackTrace();
}
Object user2 = SecurityUtils.getSubject().getPrincipal();
logger.info("user2={}", user2);
assert user1 == user2;
and the log confirms
2011-07-28 11:13:50,073 INFO
[pt.ipb.rad.server.services.i35.ActividadesDivulgacaoServiceImpl]:
user1=User [login=filipe, nome=Filipe Sousa, codEscola=3043,
modulos=null]
2011-07-28 11:14:53,107 INFO [pt.ipb.rad.server.guice.GuiceListener]:
About to destroy session: 19l9roklzh9etri6bceunc2e
2011-07-28 11:15:50,074 INFO
[pt.ipb.rad.server.services.i35.ActividadesDivulgacaoServiceImpl]:
user2=User [login=filipe, nome=Filipe Sousa, codEscola=3043,
modulos=null]
2011-07-28 11:15:50,074 DEBUG
[pt.ipb.rad.server.gwt.RemoteServiceServlet]: ---> void
ActividadesDivulgacaoService.test(): 120002ms, 127, 12
On Thu, Jul 28, 2011 at 9:17 AM, Filipe Sousa <[email protected]> wrote:
> On Thu, Jul 28, 2011 at 12:04 AM, Manoj Khangaonkar
> <[email protected]> wrote:
>> On Wed, Jul 27, 2011 at 1:26 PM, Filipe Sousa <[email protected]> wrote:
>>> Hi Manoj,
>>>
>>> That is not what I meant.
>>>
>>> Suppose I have the following code in a servlet and the user is already
>>> authenticated
>>>
>>> protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
>>> SecurityUtils.getSubject().isAuthenticated()
>>> SecurityUtils.getSubject().isAuthenticated()
>>> }
>>>
>>> Is it possible that in the second call isAuthenticated() might return false?
>>>
>>
>> I don'nt think this can happen.
>>
>>> I have been using the following pattern:
>>>
>>> protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
>>> String login = SecurityUtils.getSubject().getPrincipal()
>>> foo(login)
>>> bar(login)
>>> }
>>>
>>> foo(String login) {
>>> ...
>>> }
>>>
>>> bar(String login) {
>>> ...
>>> }
>>>
>>>
>>> but I was wondering if it is safe to use the following:
>>>
>>> protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
>>> foo()
>>> bar()
>>> }
>>>
>>> foo() {
>>> String login = SecurityUtils.getSubject().getPrincipal()
>>> }
>>>
>>> bar() {
>>> String login = SecurityUtils.getSubject().getPrincipal()
>>> }
>>>
>>
>> The Subject is associated with the thread. So I do not know of a reason why
>> this would be unsafe.
>
> But, what about session time out.
> If a session time out occurs between the two calls, what will return
> the second call. The same login or null?. I know that in the next http
> request it will return null, but I don't know what will happen in the
> same request.
>
> Thanks
> --
> Filipe Sousa
>
--
Filipe Sousa
