aspose file tools*
The moose likes Servlets and the fly likes how to force user to login again when the session timed out Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "how to force user to login again when the session timed out" Watch "how to force user to login again when the session timed out" New topic
Author

how to force user to login again when the session timed out

pkinuk Buler
Ranch Hand

Joined: May 22, 2009
Posts: 63
Hi all,

Here is my scenario:

1. I set my application using the BASIC auth-method in the web.xml file


2. Set the security-constraint like:


3. Set the session time out as 1 minute:


What I expected is to show the BASIC login box to user and ask them to perform the authentication when a session is created. (Logout user and ask them re-login when the session is timed out)

However, what i found was different what i expected, every time i start a Tomcat server, it allowed me to set the user name and password once. Even thought a new session is created after the current session expired, i still couldn't see the login in box to pop up again unless i closed the browser.

Could anyone give me some advices to help me solve this problem?
Jayr Motta
Ranch Hand

Joined: Jul 30, 2010
Posts: 110

Hi pkinuk,

Session and authentication should not be concepts related on your mind because does who thinks like that always create applications with security breaches, the security basic method created on top of j2ee uses headers instead cookies to deal how-to identify the agent of the subsequents requests, see http://en.wikipedia.org/wiki/Basic_access_authentication, they talk about "http headers" in there and you can take a lot of this in there.

But answering your question, what are you trying to do in fact is, connect your authentication mechanism to the session tracking and to do that you should at request/response check if there is a cookie (or if it's still valid) and if it isn't remove the auth header, a common implementation of it is using filters (in fact all security implementations should be done like this, declarative or AOP).

Hope it helps you, in case it didn't .. feel free to ask again, i'll be pleased to help you!


Feel free to ask me anything!
www.BlackBeltFactory.com/ui#!/ref=jmotta, SCJP 6, OCWCD JEE5, OCE EJB JEE6
pkinuk Buler
Ranch Hand

Joined: May 22, 2009
Posts: 63
hi Jayr Motta,

Thank you for your reply, I tried to google the topic how to remove auth header, but i couldn't find a suitable example. Could you please give me an example or a example page?

What I've done is create a Filter implementation class, in the doFilter method:


unfortunately, the login page didn't show up when the current session expired if I clicked the link again. Here is my filter setting in the web.xml file


Thank you in advance.
Jayr Motta
Ranch Hand

Joined: Jul 30, 2010
Posts: 110

You're sure that the header of authorization is called authorization? And you should do something like if (request.getSession().isNew()) { //code to remove http auth header }
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18903
    
    8

pkinuk Buler wrote:Hi all,

Here is my scenario:

1. I set my application using the BASIC auth-method in the web.xml file...

... What I expected is to show the BASIC login box to user and ask them to perform the authentication when a session is created. (Logout user and ask them re-login when the session is timed out)

However, what i found was different what i expected, every time i start a Tomcat server, it allowed me to set the user name and password once. Even thought a new session is created after the current session expired, i still couldn't see the login in box to pop up again unless i closed the browser.

Could anyone give me some advices to help me solve this problem?


Then your expectation was wrong. What you describe is exactly how browsers implement the basic authentication method. They ask the user for the credentials once per browsing session and cache the credentials.

So if you want something different -- and you do -- then you can't use basic authentication.
pkinuk Buler
Ranch Hand

Joined: May 22, 2009
Posts: 63
Paul Clapham wrote:
pkinuk Buler wrote:Hi all,

Here is my scenario:

1. I set my application using the BASIC auth-method in the web.xml file...

... What I expected is to show the BASIC login box to user and ask them to perform the authentication when a session is created. (Logout user and ask them re-login when the session is timed out)

However, what i found was different what i expected, every time i start a Tomcat server, it allowed me to set the user name and password once. Even thought a new session is created after the current session expired, i still couldn't see the login in box to pop up again unless i closed the browser.

Could anyone give me some advices to help me solve this problem?


Then your expectation was wrong. What you describe is exactly how browsers implement the basic authentication method. They ask the user for the credentials once per browsing session and cache the credentials.

So if you want something different -- and you do -- then you can't use basic authentication.


Thank you for your reply. Does it mean I need to use FORM Authentication to achieve my goal?
Jayr Motta
Ranch Hand

Joined: Jul 30, 2010
Posts: 110

Hi pkinuk,

About my last post, i want to say sorry .. i work with ajax aplications and remove an auth header is something possible in there but not with pure http in a straight implementation. My mistake!

In this way and presuming that BASIC auth isn't the right implementation for you, you could do something like keep an object that represent the user in the session scope, then it will persist across multiple requests and will say (by existing in there) if the user is or isn't logged in. So you code a filter that check if there is an user object associated with the session(and the session configured to expire, so when it expires all attributes will disappear) of a given request and then allow it to move on or send him to an auth page.

However, if security is an issue for you with this approach you'll better use SSL (even with basic it's recommended, but here there is the possibility of request forgery).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to force user to login again when the session timed out