Return-Path: 
 <dev-return-4751-apmail-shiro-dev-archive=shiro.apache.org@shiro.apache.org>
X-Original-To: apmail-shiro-dev-archive@www.apache.org
Delivered-To: apmail-shiro-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B762A95DC
	for <apmail-shiro-dev-archive@www.apache.org>;
 Thu, 29 Sep 2011 06:19:16 +0000 (UTC)
Received: (qmail 67115 invoked by uid 500); 29 Sep 2011 06:19:16 -0000
Delivered-To: apmail-shiro-dev-archive@shiro.apache.org
Received: (qmail 66890 invoked by uid 500); 29 Sep 2011 06:19:13 -0000
Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@shiro.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@shiro.apache.org>
List-Post: <mailto:dev@shiro.apache.org>
List-Id: <dev.shiro.apache.org>
Reply-To: dev@shiro.apache.org
Delivered-To: mailing list dev@shiro.apache.org
Received: (qmail 65531 invoked by uid 99); 29 Sep 2011 06:19:11 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Sep 2011 06:19:11 +0000
X-ASF-Spam-Status: No, hits=-2000.5 required=5.0
	tests=ALL_TRUSTED,RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Sep 2011 06:19:07 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id B3CE228E5BD
	for <dev@shiro.apache.org>; Thu, 29 Sep 2011 06:18:45 +0000 (UTC)
Date: Thu, 29 Sep 2011 06:18:45 +0000 (UTC)
From: "Matt Shaw (Created) (JIRA)" <jira@apache.org>
To: dev@shiro.apache.org
Message-ID: 
 <416848503.6448.1317277125738.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Created] (SHIRO-329) Standalone session timeout issue
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
X-Virus-Checked: Checked by ClamAV on apache.org

Standalone session timeout issue
--------------------------------

                 Key: SHIRO-329
                 URL: https://issues.apache.org/jira/browse/SHIRO-329
             Project: Shiro
          Issue Type: Bug
          Components: Session Management
    Affects Versions: 1.1.0
         Environment: Windows XP 32 bit, Java 1.6.0
            Reporter: Matt Shaw


Hi,

I have some questions regarding sessions and the API behaviour.

If I execute the following code:

        Factory<org.apache.shiro.mgt.SecurityManager> factory =
            new IniSecurityManagerFactory("vkb.ini");

        org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);        
       
        Subject user = SecurityUtils.getSubject();
       
        UsernamePasswordToken token = new UsernamePasswordToken("user", "battle1");
       
        user.login(token);            
       
        Session session = user.getSession();
        session.setTimeout(0);
       
        user.logout();

The logout method causes the following exception to occur:

Exception in thread "main" org.apache.shiro.session.ExpiredSessionException: Session with id [7c3d80f2-ae4c-49b5-9a2d-a2c0f39cd904] has expired. Last access time: 28/09/11 09:35.  Current time: 28/09/11 09:35.  Session timeout is set to 0 seconds (0 minutes)
        at org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
        at org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
        at org.apache.shiro.subject.support.DelegatingSubject.logout(DelegatingSubject.java:322)
        at com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:45)

The only reason I'm calling setTimeout(0) is to simulate the session expiring due to a timeout that occurs in the system.  Why would the logout fail just because the session has expired?  How can I get around this issue?

If I execute the following code:

        Factory<org.apache.shiro.mgt.SecurityManager> factory =
            new IniSecurityManagerFactory("vkb.ini");

        org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);        
       
        Subject user = SecurityUtils.getSubject();
       
        UsernamePasswordToken token = new UsernamePasswordToken("user", "battle1");
       
        user.login(token);            
        user.login(token);            
        user.login(token);            
        user.login(token);            
        user.login(token);            
       
        Session session = user.getSession();
        session.setTimeout(0);
       
        user.login(token);                    

The last login command throws an exception with the following stack trace:

Exception in thread "main" org.apache.shiro.session.ExpiredSessionException: Session with id [96aa8e29-4a55-4c79-be48-8ed90f49da85] has expired. Last access time: 28/09/11 09:41.  Current time: 28/09/11 09:41.  Session timeout is set to 0 seconds (0 minutes)
        at org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
        at org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
        at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
        at com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:49)

Is this the same problem.  Why can't I login after the a session has expired?  How can I login after a session has expired?

It is probably me misunderstanding the API but any help would be greatly appreciated.

Best regards

Matt
Classic List   star   Reply   More   Close
Sep 28, 2011; 6:20pm Les Hazlewood-2 Les Hazlewood-2
Hi Matt,

I'd consider this a bug - please open a Jira issue.

This probably hasn't been seen before because, for example in a web or
other 'server' style app, Shiro will validate a session on an inbound
request before allowing it to continue - this behavior wouldn't be
seen further down the call stack.

In a standalone environment, such as a test case or daemon program,
this would cause a problem if the timeout is very low.  Could you
please open an issue?

Thanks,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira