P.S. I tried this in Shiro's sample web app: https://svn.apache.org/repos/asf/shiro/trunk/samples/web/
(mvn jetty:run) I added <session-config> (2 minutes) to web.xml and it timed out properly. Flow: 1. Log in successfully 2. See the home page 3. Wait a few minutes 4. Click on the 'account page' link. Shiro redirected me to the login page because my previous 2-minute session had timed-out. This is using Jetty of course, but it should work identically in Tomcat or any other servlet container for that matter. HTH, -- Les Hazlewood CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood blog: http://leshazlewood.com stormpath blog: http://www.stormpath.com/blog<http://www.stormpath.com/blog/index> On Tue, May 8, 2012 at 11:29 AM, Les Hazlewood <[email protected]>wrote: > The default ServletContainerSessionManager implementation relies on > whatever config there is in web.xml. > > SHIRO-240 was closed because ServletContainerSessionManager no longer has > the notion of a globalSessionTimeout property - it doesn't even exist in > its class hierarchy because it can't honor it. After removing that > property from its class hierarchy, it became 100% dependent upon the > servlet container's behavior. > > I'd be curious if you find anything when enabling logging in your servlet > container to see what is going on. Which one are you using? > > Regards, > > Les > > > On Mon, May 7, 2012 at 10:53 PM, Dan Tran <[email protected]> wrote: > >> Hi Les, >> >> Not sure if my issue related to this >> https://issues.apache.org/jira/browse/SHIRO-240? >> >> Perhaps, i should reopen SHIRO-240? >> >> -Dan >> >> On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <[email protected]> >> wrote: >> > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <[email protected]> wrote: >> >> >> >> due to this config >> >> >> >> <bean id="securityManager" >> >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> >> >> [....] >> >> <property name="sessionManager.globalSessionTimeout" >> value="1800000" /> >> >> [....] >> >> </bean> >> > >> > The above config is only valid if you've configured Shiro to use a >> > 'native' session manager. By default, the DefaultWebSecurityManager >> > uses a Servlet Container-based session manager, which delegates all >> > session management behavior to the Servlet Container. >> > >> >> So I ended up to add this into my web.xml >> >> >> >> <session-config> >> >> <session-timeout>30</session-timeout> >> >> </session-config> >> >> >> >> I dont think this is working either ( i change the value to 1 and >> >> session is not timing out after 1 minute ) >> > >> > This appears to be correct. I can't speak as to why your servlet >> > container wouldn't be honoring a 1-minute timeout, but this would be >> > out of Shiro's control since you're using Servlet Container-based >> > session management. >> > >> > HTH, >> > >> > -- >> > Les Hazlewood >> > CTO, Stormpath | http://stormpath.com | 888.391.5282 >> > twitter: @lhazlewood | http://twitter.com/lhazlewood >> > blog: http://leshazlewood.com >> > stormpath blog: http://www.stormpath.com/blog >> > >
