Hi,
I am trying to configure a timeout page with form based authentication. But it appears when the timeout happens Acegi treats it as the same way a user made the initial request to a secure resource. (i.e redirects the user to the login form URL since the Authentication object is not available in the session. )

If I use only the Basic authentication mechanism I can configure the timeout page as the loginFormURL and user gets the timeout page properly after the timeout

My issue here is how to configure a login page and a timeout page with form based authentication. I am not sure whether I am missing any functionality out of the box... any help is really appreciated.

Thanks,
Nilantha

As you point out, Acegi Security relies on the HttpSession to store the Authentication object between requests. If your web container expires the HttpSession, Acegi Security will have no choice but to re-authenticate the user. Of course you could use CAS which will automate re-authentication but that's not what authentication mechanism you're trying to use.

You therefore need to look at implementing your own timeout handler. So set your HttpSession duration to say 30 minutes and write a Filter that updates a HttpSession parameter on each request. If the Filter detects the last request was more than say five minutes ago, set the Authentication.credentials in the ContextHolder to null and redirect to a timeout page where the password is requested. The page should post and a Filter or MVC Controller validates the password by delegation to AuthenticationManager, and if correct updates the Authentication in the ContextHolder. Note the Authentication in the ContextHolder automatically replaces the Authentication in the HttpSession after each request.

Thanks Ben.

I'll try implementing a timeout handler


-Nilantha