Hi Stephan, In addition to the previous answer you can also set the servlet session timeout as follows in the web.xml <session-config> <session-timeout>30</session-timeout></session-config>
Sent from my iPhone > On 30 Oct 2016, at 19:10, Stephen Cameron <[email protected]> wrote: > >> On Monday, October 31, 2016, Ahmed Ragab <[email protected]> wrote: >> >> >> >> Sent from my iPhone >> >>> On 30 Oct 2016, at 11:46, Stephen Cameron <[email protected] >> <javascript:;>> wrote: >>> >>> I have an isis app that will be publicly accessible. >>> >>> I'd like to make is as secure as is reasonable. >>> >>> Use of SSL is necessary of course. >>> >>> Internet banking sites seem to make do with password authentication, but >>> expire dormant sessions very promptly and not show any account details in >>> the UI (so someone can see the account name and guess the password). Is >>> similar possible in Apache Isis? >>> >> I didn't understood what you want to achieve > > If a logged-in user stops interacting with the app for a period, the login > gets expired and they have to enter their password again. I'm wondering if > the time interval to expiry can be configured. > >>> I need to disable the RESTful objects interface too. >>> >> That one is as simple as removing the RESTful objects filter from the >> web.xml >>> Thanks for any suggestions or tips. >>> >>> Stephen Cameron >>
