I finally managed to get the sessions to time out after 1 minute. This makes it much easier for testing purposes! I style get the exception however.
Here is the security-constraint definition: <security-constraint> <web-resource-collection> <web-resource-name> Page constraints for users </web-resource-name> <url-pattern>/index.html</url-pattern> <url-pattern>/main.jsf</url-pattern> <url-pattern>/stylesheet.css</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/logOut.jsf</url-pattern> </web-resource-collection> <auth-constraint> <role-name>myrole</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Here is the access log: 192.168.0.110 - admin [02/Dec/2008:17:13:02 +0000] "GET /images/hidden.gif HTTP/1.1" 200 1510 192.168.0.110 - admin [02/Dec/2008:17:13:02 +0000] "GET /favicon.ico HTTP/1.1" 200 21630 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "POST /main.jsf HTTP/1.1" 200 90018 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org.ajax4jsf.javascript.AjaxScript.jsf HTTP/1.1" 200 53724 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org.ajax4jsf.javascript.PrototypeScript.jsf HTTP/1.1" 200 95028 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/utils.js.jsf HTTP/1.1" 200 9094 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org/ajax4jsf/javascript/scripts/form.js.jsf HTTP/1.1" 200 2098 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/form.js.jsf HTTP/1.1" 200 372 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/panelMenu.js.jsf HTTP/1.1" 200 10162 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/panelMenu.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 1262 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/data-table.js.jsf HTTP/1.1" 200 5500 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/s/3_2_2.SR1c ss/table.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 2717 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf HTTP/1.1" 200 1164 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /stylesheet.css HTTP/1.1" 200 8715 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /images/hiddenimage.gif HTTP/1.1" 200 68 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /favicon.ico HTTP/1.1" 200 21630 192.168.0.110 - admin [02/Dec/2008:17:13:13 +0000] "POST /manager/html/sessions?path=/system HTTP/1.1" 200 5114 192.168.0.110 - admin [02/Dec/2008:17:28:01 +0000] "POST /manager/html/sessions?path=/system HTTP/1.1" 200 4436 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /sessionTimeout.jsf HTTP/1.1" 200 2614 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 6857 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 4134 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf HTTP/1.1" 200 1164 192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /favicon.ico HTTP/1.1" 200 21630 192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "POST /j_security_check HTTP/1.1" 400 1100 192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "GET /favicon.ico HTTP/1.1" 200 21630 On Tue, Dec 2, 2008 at 11:28 AM, Christopher Schultz < [EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Martin, > > Martin Dubuc wrote: > > I am not sure I understand exactly why, but it seems to me that, although > > the sessionTimeout.jsp page is not protected, if the user responds to > > "Navigate away" prompt after Tomcat removes the session from the session > > list, then, Tomcat presents the login form instead of the session expiry > > notification page. > > Perhaps Tomcat is reacting to a request for a different resource. Can > you post your access log for the time period around this request? Also, > you might want to post your <security-constraint> sections from web.xml. > > > I would also like to know why ${pageContext.session.maxInactiveInterval} > > evaluates to 900 even if I set the session-timeout variable to 1 minute > in > > the application web.xml configuration file (and even in Tomcat > conf/web.xml > > file). I find it odd that looking at the manager application main page, > the > > sessions listed on that page show Expire sessions with idle >= 1 minutes, > > but yet, the TTL in the application session page starts at 15 minutes and > > session only expires after 15 minutes. > > Maybe you'd better post that configuration as well. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkk1YkoACgkQ9CaO5/Lv0PDHQwCgv2/xLxBa8JMG5UxRQMmXWF14 > 2osAn3VOaoptfmdDq53bU3Y84vPw+e3v > =/Wrd > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >