Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D491D9A1A for ; Thu, 10 Nov 2011 08:25:03 +0000 (UTC) Received: (qmail 75068 invoked by uid 500); 10 Nov 2011 08:25:00 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 75027 invoked by uid 500); 10 Nov 2011 08:25:00 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 75014 invoked by uid 99); 10 Nov 2011 08:24:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2011 08:24:59 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of cjderham@gmail.com designates 74.125.82.43 as permitted sender) Received: from [74.125.82.43] (HELO mail-ww0-f43.google.com) (74.125.82.43) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2011 08:24:52 +0000 Received: by wwf4 with SMTP id 4so3503339wwf.0 for ; Thu, 10 Nov 2011 00:24:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:reply-to:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=6/wR1EeRxzvJYxDSTovLkmXeIOxsOcUDdRZ/tDQGPQs=; b=QVBB+ua48+AVZLAHBdZyt71fSkQBYsX5HUCoYaPROP1JREXuLqdOOaOuOodMbIPAy0 zgRaGXhYhbJyfcAp3Di8Dsw7ddwFrIa9KVJNIxldKI92Fq+M6vyHhzL4y2kLLrZOwji5 X+9NXNyv1Ot+CWneE665QSuGV+XnYXm5eWS9I= Received: by 10.216.185.72 with SMTP id t50mr1127641wem.43.1320913471345; Thu, 10 Nov 2011 00:24:31 -0800 (PST) MIME-Version: 1.0 Reply-To: chris@derham.me.uk Sender: cjderham@gmail.com Received: by 10.216.162.203 with HTTP; Thu, 10 Nov 2011 00:24:10 -0800 (PST) In-Reply-To: <2ECACB4596FF6648A37ECF2A4EF292EB0534044E@XMB-AMS-104.cisco.com> References: <2ECACB4596FF6648A37ECF2A4EF292EB0534012F@XMB-AMS-104.cisco.com> <4EBB6949.3060304@christopherschultz.net> <2ECACB4596FF6648A37ECF2A4EF292EB0534044E@XMB-AMS-104.cisco.com> From: chris derham Date: Thu, 10 Nov 2011 06:24:10 -0200 X-Google-Sender-Auth: tCC28d06BptEVpQC1TBONmW9lu4 Message-ID: Subject: Re: Session time out never takes place with ajax To: Tomcat Users List Content-Type: multipart/alternative; boundary=0016e64c17b23d13f304b15d224b --0016e64c17b23d13f304b15d224b Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable > > So to recap, and verify my understanding... > Perhaps I am missing some valve overview. > > I understand it is invoked before the filters, but after completion it > would arrive to the filter/servlet container anyway. > So what your saying is that if I build a valve and read information from > IO file or/db or any other cached data which doesn=92t trigger a > request.getSession > That will work? > And if so, I will still need to "break" the chain and prevent it from > continuing deeper into tomcat or else it will update the session access t= ime > > Instead of mapping all requests e.g. /* through security*, you could spli= t you app. So say /public folder contains static resources and requires not security*. You could put dynamic resources under /dynamic and map to security*. That way anybody requesting a dynamic resource would need a session, and this would be touched on every request to /dynamic/*. If you had this kind of setup, then you could create another top level folder called say /ajaxPing and not map that to security*. Then as long as the filter/servlet/jsp page that fulfills that request does not call request.getSession, you will fulfill your aim to respond without affecting session expiration Alternatively you could put a valve in the front of the whole web app, and have that respond to a given url, and then stop the request, e.g. not pass the request to tomcat. I beleive that is what Mr Schultz was suggesting * when I keep saying security, I'm not sure the correct collective term. I don't just mean container security, but also any filter/servlet/jsp that calls request.getSession HTH Chris --0016e64c17b23d13f304b15d224b--