I finally managed to get the sessions to time out after 1 minute. This makes
it much easier for testing purposes! I style get the exception however.
Here is the security-constraint definition:
<security-constraint>
<web-resource-collection>
<web-resource-name>
Page constraints for users
</web-resource-name>
<url-pattern>/index.html</url-pattern>
<url-pattern>/main.jsf</url-pattern>
<url-pattern>/stylesheet.css</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/logOut.jsf</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Here is the access log:
192.168.0.110 - admin [02/Dec/2008:17:13:02 +0000] "GET /images/hidden.gif
HTTP/1.1" 200 1510
192.168.0.110 - admin [02/Dec/2008:17:13:02 +0000] "GET /favicon.ico
HTTP/1.1" 200 21630
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "POST /main.jsf HTTP/1.1"
200 90018
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org.ajax4jsf.javascript.AjaxScript.jsf HTTP/1.1" 200 53724
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org.ajax4jsf.javascript.PrototypeScript.jsf HTTP/1.1" 200
95028
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/utils.js.jsf HTTP/1.1"
200 9094
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/ajax4jsf/javascript/scripts/form.js.jsf HTTP/1.1" 200
2098
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/form.js.jsf HTTP/1.1"
200 372
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/panelMenu.js.jsf
HTTP/1.1" 200 10162
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/panelMenu.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
HTTP/1.1" 200
1262
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/data-table.js.jsf
HTTP/1.1" 200 5500
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/s/3_2_2.SR1c
ss/table.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200
2717 192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf
HTTP/1.1" 200 1164
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /stylesheet.css
HTTP/1.1" 200 8715
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/images/hiddenimage.gif HTTP/1.1" 200 68
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /favicon.ico
HTTP/1.1" 200 21630
192.168.0.110 - admin [02/Dec/2008:17:13:13 +0000] "POST
/manager/html/sessions?path=/system HTTP/1.1" 200 5114
192.168.0.110 - admin [02/Dec/2008:17:28:01 +0000] "POST
/manager/html/sessions?path=/system HTTP/1.1" 200 4436
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /sessionTimeout.jsf
HTTP/1.1" 200 2614
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
/a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
HTTP/1.1" 200 6857
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
/a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
HTTP/1.1" 200 4134
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf
HTTP/1.1" 200 1164
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /favicon.ico HTTP/1.1"
200 21630
192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "POST /j_security_check
HTTP/1.1" 400 1100
192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "GET /favicon.ico HTTP/1.1"
200 21630
On Tue, Dec 2, 2008 at 11:28 AM, Christopher Schultz <
[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin,
>
> Martin Dubuc wrote:
> > I am not sure I understand exactly why, but it seems to me that, although
> > the sessionTimeout.jsp page is not protected, if the user responds to
> > "Navigate away" prompt after Tomcat removes the session from the session
> > list, then, Tomcat presents the login form instead of the session expiry
> > notification page.
>
> Perhaps Tomcat is reacting to a request for a different resource. Can
> you post your access log for the time period around this request? Also,
> you might want to post your <security-constraint> sections from web.xml.
>
> > I would also like to know why ${pageContext.session.maxInactiveInterval}
> > evaluates to 900 even if I set the session-timeout variable to 1 minute
> in
> > the application web.xml configuration file (and even in Tomcat
> conf/web.xml
> > file). I find it odd that looking at the manager application main page,
> the
> > sessions listed on that page show Expire sessions with idle >= 1 minutes,
> > but yet, the TTL in the application session page starts at 15 minutes and
> > session only expires after 15 minutes.
>
> Maybe you'd better post that configuration as well.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkk1YkoACgkQ9CaO5/Lv0PDHQwCgv2/xLxBa8JMG5UxRQMmXWF14
> 2osAn3VOaoptfmdDq53bU3Y84vPw+e3v
> =/Wrd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
