diff --git a/webapp/config/web.xml b/webapp/config/web.xml
index 4d07084fc..8046cce14 100644
--- a/webapp/config/web.xml
+++ b/webapp/config/web.xml
@@ -185,6 +185,15 @@
+
+ Session Timeout Limiting Filter
+ edu.cornell.mannlib.vitro.webapp.filters.SessionTimeoutLimitingFilter
+
+
+ Session Timeout Limiting Filter
+ /*
+
+
Character Set Encoding Filter
edu.cornell.mannlib.vitro.webapp.filters.CharsetEncodingFilter
@@ -193,6 +202,7 @@
Character Set Encoding Filter
/*
+
JSession Strip Filter
edu.cornell.mannlib.vitro.webapp.filters.JSessionStripFilter
@@ -210,6 +220,7 @@
URL Rewriter Filter
/*
+
Portal Picker Filter
edu.cornell.mannlib.vitro.webapp.filters.PortalPickerFilter
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
index 5468d51a5..db83a30d2 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
@@ -39,6 +39,12 @@ import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginEvent;
import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginLogoutEvent;
public class Authenticate extends FreemarkerHttpServlet {
+ /** Maximum inactive interval for a ordinary logged in user session, in seconds. */
+ public static final int LOGGED_IN_TIMEOUT_INTERVAL = 300;
+
+ /** Maximum inactive interval for a editor (or better) session, in seconds. */
+ public static final int PRIVILEGED_TIMEOUT_INTERVAL = 32000;
+
private static final Log log = LogFactory.getLog(Authenticate.class
.getName());
@@ -301,10 +307,10 @@ public class Authenticate extends FreemarkerHttpServlet {
getUserDao(request).updateUser(user);
// Set the timeout limit on the session - editors, etc, get more.
- session.setMaxInactiveInterval(300); // seconds, not milliseconds
+ session.setMaxInactiveInterval(LOGGED_IN_TIMEOUT_INTERVAL); // seconds, not milliseconds
try {
if ((int) Integer.decode(lfb.getLoginRole()) > 1) {
- session.setMaxInactiveInterval(32000);
+ session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
}
} catch (NumberFormatException e) {
// No problem - leave it at the default.
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/SessionTimeoutLimitingFilter.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/SessionTimeoutLimitingFilter.java
new file mode 100644
index 000000000..54ac0d730
--- /dev/null
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/SessionTimeoutLimitingFilter.java
@@ -0,0 +1,75 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.filters;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import edu.cornell.mannlib.vedit.beans.LoginFormBean;
+
+/**
+ * Manipulate the maximum inactive interval on sessions.
+ *
+ * - Logged in sessions and self-editing sessions already have the correct
+ * interval set.
+ * - Other sessions are trivial, and should have a short interval.
+ *
+ */
+public class SessionTimeoutLimitingFilter implements Filter {
+ /** Maximum inactive interval for a trivial session object, in seconds. */
+ private static final int TRIVIAL_SESSION_LIFETIME = 120;
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ public void doFilter(ServletRequest servletRequest,
+ ServletResponse servletResponse, FilterChain filterChain)
+ throws IOException, ServletException {
+ filterChain.doFilter(servletRequest, servletResponse);
+
+ limitTrivialSession(servletRequest);
+ }
+
+ /**
+ * If this request has a trivial session object -- that is, the user is not
+ * logged in and not self-editing -- then give it a short expiration
+ * interval.
+ */
+ private void limitTrivialSession(ServletRequest servletRequest) {
+ if (!(servletRequest instanceof HttpServletRequest)) {
+ return;
+ }
+ HttpServletRequest request = (HttpServletRequest) servletRequest;
+
+ // If no session object, nothing to do.
+ HttpSession session = request.getSession(false);
+ if (session == null) {
+ return;
+ }
+
+ // If logged in, leave it alone.
+ Object loginBean = session.getAttribute("loginHandler");
+ if (loginBean instanceof LoginFormBean) {
+ return;
+ }
+
+ // If self-editing, leave it alone.
+ if (VitroRequestPrep.isSelfEditing(request)) {
+ return;
+ }
+
+ // Otherwise, it's trivial, so shorten its life-span.
+ session.setMaxInactiveInterval(TRIVIAL_SESSION_LIFETIME);
+ }
+
+ public void destroy() {
+ }
+}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java
index f5767dcd3..bc5df20dd 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java
@@ -10,7 +10,6 @@ import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
-import javax.servlet.ServletContextListener;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@ -22,9 +21,10 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
-import edu.cornell.mannlib.vitro.webapp.beans.Portal;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
+import edu.cornell.mannlib.vitro.webapp.beans.Portal;
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
+import edu.cornell.mannlib.vitro.webapp.controller.edit.Authenticate;
import edu.cornell.mannlib.vitro.webapp.dao.PortalDao;
import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
import edu.cornell.mannlib.vitro.webapp.dao.filtering.WebappDaoFactoryFiltering;
@@ -402,6 +402,7 @@ public class VitroRequestPrep implements Filter {
public static void forceToSelfEditing(HttpServletRequest request){
HttpSession sess = request.getSession(true);
+ sess.setMaxInactiveInterval(Authenticate.LOGGED_IN_TIMEOUT_INTERVAL);
sess.setAttribute("inSelfEditing","true");
}
public static void forceOutOfSelfEditing(HttpServletRequest request){