This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes How to handle session timeout when using Servlet 3.0 programmatic security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to handle session timeout when using Servlet 3.0 programmatic security" Watch "How to handle session timeout when using Servlet 3.0 programmatic security" New topic
Author

How to handle session timeout when using Servlet 3.0 programmatic security

Pat Garner
Greenhorn

Joined: Mar 05, 2004
Posts: 9
Regarding Servlet 3.0 programmatic security, when a session times out there is no way to invoke HttpServletRequest#logout().

Does the user remain logged into JAAS?

If so, what is best practice to handle logging out of JAAS after session times out?

How does the container handle the user's subsequent request to login again and create a new session after session timeout?

As an aside, what are the pros and cons of using the following three approaches to handle session timeout when using Servlet 3.0 programmatic security:

HttpSessionListener#sessionDestroyed()
Make the @ManagedBean @SessionScoped LoginManager implement HttpSessionBindingListener and do something in valueUnbound.
Annotate a method in LoginManager with @PreDestroy.

Any other suggested approaches/ best practices advice would surely be appreciated.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to handle session timeout when using Servlet 3.0 programmatic security
 
Similar Threads
Programmatic vs Declarative Security
Why JAAS ?
IT Security, and certifications
LoginModules (jaas) and EJB
Web Applications and JAAS