I believe that the session timeout only applies to new requests - existing requests should not lose their session mid-stream.
On 07/28/2011 03:17 AM, Filipe Sousa wrote: > On Thu, Jul 28, 2011 at 12:04 AM, Manoj Khangaonkar > <[email protected]> wrote: >> On Wed, Jul 27, 2011 at 1:26 PM, Filipe Sousa <[email protected]> wrote: >>> Hi Manoj, >>> >>> That is not what I meant. >>> >>> Suppose I have the following code in a servlet and the user is already >>> authenticated >>> >>> protected void doGet(HttpServletRequest req, HttpServletResponse resp) { >>> SecurityUtils.getSubject().isAuthenticated() >>> SecurityUtils.getSubject().isAuthenticated() >>> } >>> >>> Is it possible that in the second call isAuthenticated() might return false? >>> >> I don'nt think this can happen. >> >>> I have been using the following pattern: >>> >>> protected void doGet(HttpServletRequest req, HttpServletResponse resp) { >>> String login = SecurityUtils.getSubject().getPrincipal() >>> foo(login) >>> bar(login) >>> } >>> >>> foo(String login) { >>> ... >>> } >>> >>> bar(String login) { >>> ... >>> } >>> >>> >>> but I was wondering if it is safe to use the following: >>> >>> protected void doGet(HttpServletRequest req, HttpServletResponse resp) { >>> foo() >>> bar() >>> } >>> >>> foo() { >>> String login = SecurityUtils.getSubject().getPrincipal() >>> } >>> >>> bar() { >>> String login = SecurityUtils.getSubject().getPrincipal() >>> } >>> >> The Subject is associated with the thread. So I do not know of a reason why >> this would be unsafe. > But, what about session time out. > If a session time out occurs between the two calls, what will return > the second call. The same login or null?. I know that in the next http > request it will return null, but I don't know what will happen in the > same request. > > Thanks
