On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <[email protected]> wrote: > > due to this config > > <bean id="securityManager" > class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> > [....] > <property name="sessionManager.globalSessionTimeout" value="1800000" /> > [....] > </bean>
The above config is only valid if you've configured Shiro to use a 'native' session manager. By default, the DefaultWebSecurityManager uses a Servlet Container-based session manager, which delegates all session management behavior to the Servlet Container. > So I ended up to add this into my web.xml > > <session-config> > <session-timeout>30</session-timeout> > </session-config> > > I dont think this is working either ( i change the value to 1 and > session is not timing out after 1 minute ) This appears to be correct. I can't speak as to why your servlet container wouldn't be honoring a 1-minute timeout, but this would be out of Shiro's control since you're using Servlet Container-based session management. HTH, -- Les Hazlewood CTO, Stormpath | http://stormpath.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood blog: http://leshazlewood.com stormpath blog: http://www.stormpath.com/blog
