shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roman Doboni (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-486) HttpSessionBindingListener not called when session expires
Date Thu, 01 Nov 2018 23:38:00 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16672363#comment-16672363
] 

Roman Doboni commented on SHIRO-486:
------------------------------------

It's quite easy to make it work with Shiro, although It took me a while to understand what's
happening.

Core issue - the HttpSessionBindingListener is called only when the attribute is removed,
but not when the session is killed.

Work around - Implement a SessionListener that would do that for you.

{code}

@Override
 public void onStop(Session session)
 {
 processHttpSessionBindingListeners(session);
 }

@Override
 public void onExpiration(Session session)
 {
 processHttpSessionBindingListeners(session);
 }

// need to log any throwable
 @SuppressWarnings("squid:S1181")
 protected void processHttpSessionBindingListeners(Session session)
 {
 for (Object key : session.getAttributeKeys())
 {
 Object attribute = session.getAttribute(key);
 if (attribute instanceof HttpSessionBindingListener)
 {
 try
 {
 //signal all registered listeners
 ((HttpSessionBindingListener) attribute).valueUnbound(null);
 }
 catch (Throwable t)
 {
 LOG.debug("Error calling valueUnbound on [" + attribute + "] with key [" + key + "]", t);
 }
 }
 }
 }

{code}

> HttpSessionBindingListener not called when session expires
> ----------------------------------------------------------
>
>                 Key: SHIRO-486
>                 URL: https://issues.apache.org/jira/browse/SHIRO-486
>             Project: Shiro
>          Issue Type: Bug
>          Components: Session Management
>    Affects Versions: 1.2.1, 1.2.2
>         Environment: jdk7 
>            Reporter: Steve
>            Priority: Major
>         Attachments: spring-shiro-predestroy.zip
>
>
> I posted this in the user mailing list, but after some debugging I think it is a bug
in shiro's native session management: It seems that the HttpSessionBindingListener  that spring
installs is not called on destroy, so Spring is not able to delete session-scoped beans.
> From the mailing list post:
>  I'm having problems with session-scoped beans like this one 
>   
> @Named 
> @Scope(proxyMode = ScopedProxyMode.TARGET_CLASS, value = "session") 
> public class SessionBean { 
>   
>     @PostConstruct 
>     public void init() 
>   
>     @PreDestroy 
>     public void destroy() 
> } 
>   
> Using Shiro's default "ServletContainerSessionManager" both methods are called as expected,
but when I switch to native session management with DefaultWebSessionManager the pre-destroy
method is never called (post construct gets called). The validationScheduler runs, and the
globalSessionTimeout has been set. 
>   
> Anyone knows whats happening here ? I've uploaded a small example project as an attachement
 (just comment out the sessionManager in applicationContext.xml to see the working @PreDestroy).




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message