I have some servlets that I can't put security constraints on at the
web.xml level. However, deep down in the code there are some places
that I need a user to be logged in. My overall UI ensures this all
works by having certain JSPs with constraints that force the user to log
in before getting to the servlet. But if the user spends too much time
interacting with the servlet and not reloading one of the pages that
require a login, the session will timeout, and the user is now buried in
one of the servlets, and I've lost the session/userprincipal. It
appears that interacting with a servlet that has no constraints does not
reset the session timer. Is that correct, or am I seeing it wrong? I
know the easy answer would be to add a constraint requiring login to
access the servlet. But with the current design, that's not going to
work. Is there something I can do in the servlet and/or servlet config
in web.xml to force servlet access to keep resetting the session timer
so it won't expire without having to put role constraints directly on
the servlet?
Thx
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org