Tim Holloway wrote:There most definitely is a system used for A/A. ALWAYS. I repeat. It's not magic and it's not automatic.
When we started, you said "Tomcat server timeout", which to me implied that you were using the JEE standard Container-Manager Security system that's built into Tomcat. That system has Tomcat (the container) managing authentication and authorization. The container security system looks at the webapp's /WEB-INF/web.xml file (or annotation equivalents to determine transport security, security roles and their mapping to URLs as well as whether to use FORM-based or BASIC security for the login process.
In container-managed security, the webapp has no login code of its own. Instead, when a protected URL is submitted to Tomcat, Tomcat parks the URL request and runs its own login code internally. Until/unless the user presents valid login credentials, the process does not enter application code. Once authenticated, the original URL requeust proceeds to the webapp.
Tomcat handles authentication using Realms, which are plug-in modules that support authentication methods via a standard Realm Interface. The authentication methods simply take in the credentials and return a pass/fail to Tomcat's login logic. The Realms themselves may authenticate against databases, LDAP/Active Directory servers, XML files (reccommended only for testing) or any other soure you can think of. If none of the standard set works, you can implement your own Realm (been there/did that).
Container Security can also jack into meta-security (Simgle Sign-on) systems such as Kerberos or Windows Security. In which case, the Tomcat server may not need a signon because SSO allows the user to come in pre-authenticated. Which is why there is no "login" event defined for JEE webapp containers.
And that's just assuming that you ARE using JEE standard Authentication. It's very important to know how you're authenticating, because while HttpSessions support container security, they are not only applicable to container security. Thus a timeout of the session may not always be equivalent to logging out.
Rajkamal Pillai wrote:
I'm not really sure what kinds of performance/usabilities issues you might be thinking of. Can you give some examples?
Rajkamal Pillai wrote:
I mean the User logs in - he/she (scared about the pronouns, here) gets validated against a database, the "User" object gets loaded - their timeout settings get loaded - setMaxInactiveInterval() is invoked - and they gotabout doing whatever business they care for. I might have an admin level user but I think that is irrelevant at this point.
Paul Clapham wrote: It seems like you don't need to extend the timeout interval for everybody, only for some people. If that's not the case and everybody should have an equally extended timeout interval, then just configure that interval into the server.
Paul Clapham wrote: Otherwise, you're going to need a User object to assign a specified timeout interval for each person who has their timeout interval extended. You'd assign this interval when they sign in and there's no need to do it at any other time. Neither do you need a notification when the server times out. So this requires one message from client to server when the user signs in, without any requirement for the user to do anything. So there's no "usability side effect". If this counts as a "performance side-effect" then you need to go to the person saying that and suggest they start being realistic.
Paul Clapham wrote: Perhaps I've missed some of your requirements. I'm assuming you don't want security side-effects like allowing the user to leave the session signed in for a long period of time while they are absent from the computer.
Paul Clapham wrote:
Rajkamal Pillai wrote:According to my understanding Tomcat checks for session timeouts in intervals. Then the server should timeout around the set interval (web.xml). Or does Tomcat check for this timeout interval when it receives each new request?
I don't know how Tomcat does that but... if I were designing a system like this, I wouldn't be checking sessions every X minutes to see if they had expired. I would just check a session when a related request came in, and expire the session if it had timed out then. But that's just me. Perhaps you could mention where your understanding came from?