From users-return-188719-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Tue Dec 02 18:19:34 2008
Return-Path: <users-return-188719-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 9357 invoked from network); 2 Dec 2008 18:19:33 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 2 Dec 2008 18:19:33 -0000
Received: (qmail 10915 invoked by uid 500); 2 Dec 2008 18:19:32 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 10886 invoked by uid 500); 2 Dec 2008 18:19:32 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 10875 invoked by uid 99); 2 Dec 2008 18:19:32 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Dec 2008 10:19:32 -0800
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of martind1111@gmail.com designates 74.125.46.152 as permitted sender)
Received: from [74.125.46.152] (HELO yw-out-1718.google.com) (74.125.46.152)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Dec 2008 18:18:02 +0000
Received: by yw-out-1718.google.com with SMTP id 5so1525045ywr.54
        for <users@tomcat.apache.org>; Tue, 02 Dec 2008 10:18:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type:references;
        bh=0gesfp+GMlR2l4utjH/hBbtGZtxe6RpcaZF0/NDwj6U=;
        b=su52wv33Yyar/ZC4/MDQ2f19bKJ0ZoS/JaX6nMusclN9WYD2A1q7jYE+DFBBkJ8pxU
         bARENBr+7Q34c+aHVBRj5PwYWTIxhlU2QnJIQqltGt8ZUn4x7XKFEm2vEabm+LryVLB2
         I1m2rG1+aBa5xylSROZ91klsZxPWCs9oO+NXU=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:references;
        b=BsfpoKT3i8wYoIkCyLehc4L7QbMwZEvGwVlydcC3HZW5KFg+gtx9D5Kt4V0vUWXhjP
         5rL/kl7a7E75LiYeqiANnmMom+i6BT/eZ5AaHJKVof7z+muEdWsgJIbUu/yB61bugxMT
         DRCP4O0pnxlF8R1qejGyCCcvVAf8fjmuO9bJY=
Received: by 10.103.24.11 with SMTP id b11mr5430076muj.58.1228241918950;
        Tue, 02 Dec 2008 10:18:38 -0800 (PST)
Received: by 10.103.137.14 with HTTP; Tue, 2 Dec 2008 10:18:38 -0800 (PST)
Message-ID: <7a0107ba0812021018h76b19b26h4d62ea44e96f1232@mail.gmail.com>
Date: Tue, 2 Dec 2008 13:18:38 -0500
From: "Martin Dubuc" <martind1111@gmail.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Subject: Re: j_security_check
In-Reply-To: <4935624A.4020102@christopherschultz.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_130848_8185430.1228241918943"
References: <7a0107ba0812011410v48ec0f17w8eb292b843f65656@mail.gmail.com>
	 <4935624A.4020102@christopherschultz.net>
X-Virus-Checked: Checked by ClamAV on apache.org

------=_Part_130848_8185430.1228241918943
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I finally managed to get the sessions to time out after 1 minute. This makes
it much easier for testing purposes! I style get the exception however.

Here is the security-constraint definition:
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                Page constraints for users
            </web-resource-name>
            <url-pattern>/index.html</url-pattern>
            <url-pattern>/main.jsf</url-pattern>
            <url-pattern>/stylesheet.css</url-pattern>
            <url-pattern>/images/*</url-pattern>
            <url-pattern>/logOut.jsf</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>myrole</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Here is the access log:

192.168.0.110 - admin [02/Dec/2008:17:13:02 +0000] "GET /images/hidden.gif
HTTP/1.1" 200 1510
192.168.0.110 - admin [02/Dec/2008:17:13:02 +0000] "GET /favicon.ico
HTTP/1.1" 200 21630
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "POST /main.jsf HTTP/1.1"
200 90018
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org.ajax4jsf.javascript.AjaxScript.jsf HTTP/1.1" 200 53724
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org.ajax4jsf.javascript.PrototypeScript.jsf HTTP/1.1" 200
95028
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/utils.js.jsf HTTP/1.1"
200 9094
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/ajax4jsf/javascript/scripts/form.js.jsf HTTP/1.1" 200
2098
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/form.js.jsf HTTP/1.1"
200 372
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/panelMenu.js.jsf
HTTP/1.1" 200 10162
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/panelMenu.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
 HTTP/1.1" 200
1262
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/data-table.js.jsf
HTTP/1.1" 200 5500
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /a4j/s/3_2_2.SR1c
ss/table.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200
2717              192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf
HTTP/1.1" 200 1164
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /stylesheet.css
HTTP/1.1" 200 8715
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET
/images/hiddenimage.gif HTTP/1.1" 200 68
192.168.0.110 - admin [02/Dec/2008:17:13:06 +0000] "GET /favicon.ico
HTTP/1.1" 200 21630
192.168.0.110 - admin [02/Dec/2008:17:13:13 +0000] "POST
/manager/html/sessions?path=/system HTTP/1.1" 200 5114
192.168.0.110 - admin [02/Dec/2008:17:28:01 +0000] "POST
/manager/html/sessions?path=/system HTTP/1.1" 200 4436
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /sessionTimeout.jsf
HTTP/1.1" 200 2614
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
/a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
HTTP/1.1" 200 6857
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
/a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf
HTTP/1.1" 200 4134
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET
/a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf
HTTP/1.1" 200 1164
192.168.0.110 - - [02/Dec/2008:17:28:04 +0000] "GET /favicon.ico HTTP/1.1"
200 21630
192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "POST /j_security_check
HTTP/1.1" 400 1100
192.168.0.110 - - [02/Dec/2008:17:28:11 +0000] "GET /favicon.ico HTTP/1.1"
200 21630


On Tue, Dec 2, 2008 at 11:28 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin,
>
> Martin Dubuc wrote:
> > I am not sure I understand exactly why, but it seems to me that, although
> > the sessionTimeout.jsp page is not protected, if the user responds to
> > "Navigate away" prompt after Tomcat removes the session from the session
> > list, then, Tomcat presents the login form instead of the session expiry
> > notification page.
>
> Perhaps Tomcat is reacting to a request for a different resource. Can
> you post your access log for the time period around this request? Also,
> you might want to post your <security-constraint> sections from web.xml.
>
> > I would also like to know why ${pageContext.session.maxInactiveInterval}
> > evaluates to 900 even if I set the session-timeout variable to 1 minute
> in
> > the application web.xml configuration file (and even in Tomcat
> conf/web.xml
> > file). I find it odd that looking at the manager application main page,
> the
> > sessions listed on that page show Expire sessions with idle >= 1 minutes,
> > but yet, the TTL in the application session page starts at 15 minutes and
> > session only expires after 15 minutes.
>
> Maybe you'd better post that configuration as well.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkk1YkoACgkQ9CaO5/Lv0PDHQwCgv2/xLxBa8JMG5UxRQMmXWF14
> 2osAn3VOaoptfmdDq53bU3Y84vPw+e3v
> =/Wrd
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

------=_Part_130848_8185430.1228241918943--