Trusted Auth token - expiration?

Hello,

We have some issues with tokens obtained via the API for Trusted Authentication that seem to become invalid after some time, and we are not sure why.

In order to take our own product out of the equation, I have written a sandbox program that does the same thing as our integration to BO and gives the same error message. It simply logs in and uses the API to generate a token:

    ISessionMgr sesMgr;

    try {

      sesMgr = CrystalEnterprise.getSessionMgr();

      ITrustedPrincipal principal = sesMgr.createTrustedPrincipal("John.Doe", "123.456.78.90:6400", "SHARED-SECRET");

      IEnterpriseSession enterpriseSession = sesMgr.logon(principal);

      String serializedSession = enterpriseSession.getSerializedSession();

      String defaultToken = enterpriseSession.getLogonTokenMgr().getDefaultToken();

      System.out.println("Token = " + defaultToken);

    } catch (SDKException e) {

      e.printStackTrace();

    }

We can then take the token that is printed out on stdout

TEST-DTK-APP01.foobar.com:6400@17850JG0srJO5za4YoitK17849Ju6r1efEF52BRylA

and use it to construct an openDocument URL like this one:

http://123.456.78.90:8080/OpenDocument/opendoc/openDocument.jsp?sType=wid&token=TEST-DTK-APP01.foobar.com:6400@17850JG0srJO5za4YoitK17849Ju6r1efEF52BRylA&sPath=%5BFooBar+Reports%5D&sDocName=Chargeable+Hours+Summary&NAII=Y&sOutputFormat=H&sRefresh=N

This URL opens up nicely when you paste it into a browser and shows the report without asking the user for credentials. But if we try the exact same URL after 30 minutes, the user is asked for credentials.

I guess it is fair that the tokens expire after a while, but my question is, what decides the validity periods of these tokens? And another question: it seems that the token does not expire when I use it via an API and not a browser. For example, I tried to run this loop that uses the token to make a query to the CMS every 5 minutes for 150 minutes:

      for (int i = 0; i < 30 ; i++) {

        try {

          Thread.sleep(5 * 60 * 1000);

          IEnterpriseSession session2 = sesMgr.logonWithToken(defaultToken);

          IInfoStore infoStore = (IInfoStore) session2.getService("InfoStore");

          String query = "select SI_NAME, SI_ID from CI_INFOOBJECTS "

                   + "where SI_KIND = 'Webi' and SI_INSTANCE=0";

          IInfoObjects infoObjects = (IInfoObjects) infoStore.query(query);

          System.out.println("i = " + i + ", result is: " + infoObjects.toString());

        } catch(InterruptedException ex) {

          System.out.println("Interrupted...");

        }

      }

Since the token became invalid after 30 minutes in the browser, I would have expected this to fail at some point too. But it did not - my log from this program kept showing the list of available reports in the system. Maybe that is because I use the token to create a new session each time?

Thanks,

/Noah