I got the responsibility of maintaining a legacy web-application running on
Tomcat 5.5.36 and using the *j_security_check* feature for
user-authentication.
One problem scenario I am looking into:
When you first start the browser and logon to the application, everything
works OK....
The application receives the username from *request.getRemoteUser()* and
looks up user-roles in config-tables, for exactly what each user is allowed
to do in the GUI.
*The problem is* when a user leaves the application inactive for an
extended time (not clear yet exactly how long, but more than an hour) and
then submits a form.
It now appears that tomcat may have discarded the authentication-info,
because of time-out I guess, and *request.getRemoteUser()* will return *null
*, which result in a broken GUI-display.
I would expect (prefer) Tomcat, in this case to request the
login-credentials anew, before accessing the application, but for some
reason it does not.
For info, the *web.xml* under *{TOMCAT_HOME}/config* has
...<session-timeout>240</session-timeout>...
while the *web.xml* in the application WAR-file has no session-timeout
specified at all.
What do I need to do to get Tomcat to always ask for login-credentials
again, when needed, and make sure *request.getRemoteUser()* is never null
when calling the application?
Anyone has a clue?
