This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I'm using MemoryRealm to protect my JSP application.
It works just fine: User will need to enter the username and password in a pop-up box before they can enter the JSP.
My question is: Is there any built-in capability that I can put in in my web.xml/ somewhere else so that let say after some periods of inactivity, the pop-up box will show up again and the user will be required to enter username and password again?
The dialog box only appears when the client ( the browser ) sends a request to the server for a protected resource and the user is not logged in. The server then sends back a response indicating that the user needs to authenticate himself to access that resource. That's when the dialog appears.
I'm not exactly sure when it would appear again but from what I've experienced, it won't happen on a session timeout. I don't think you can control it; it only appears when the authentication is required for the first time or subsequently fails.
On the other hand, if you used FORM based login, you could redirect your user to the login page on session timeout and require him to login again.
EDIT: As I understand it, I suspect that it works this way: 1. You attempt to access a protected page 2. The server sends back a response asking you for authentication 3. The browser displays the dialog and you enter the details 4. If it's invalid, repeat from 2. 5. Else, the server then sends your the correct response. 6. If you attempt to access the protected resource again, the browser preemptively sends your userid/ password with the very first request, so you don't have to enter it again. However, should it fail for some reason, you'll repeat from 2.