shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: Question regarding Sessions
Date Wed, 28 Sep 2011 17:20:31 GMT
Hi Matt,

I'd consider this a bug - please open a Jira issue.

This probably hasn't been seen before because, for example in a web or
other 'server' style app, Shiro will validate a session on an inbound
request before allowing it to continue - this behavior wouldn't be
seen further down the call stack.

In a standalone environment, such as a test case or daemon program,
this would cause a problem if the timeout is very low.  Could you
please open an issue?

Thanks,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Wed, Sep 28, 2011 at 1:47 AM, MattShaw <matt.shaw@uk.thalesgroup.com> wrote:
> Hi,
>
> I have some questions regarding sessions and the API behaviour.
>
> If I execute the following code:
>
>        Factory<org.apache.shiro.mgt.SecurityManager> factory =
>            new IniSecurityManagerFactory("vkb.ini");
>
>        org.apache.shiro.mgt.SecurityManager securityManager =
> factory.getInstance();
>        SecurityUtils.setSecurityManager(securityManager);
>
>        Subject user = SecurityUtils.getSubject();
>
>        UsernamePasswordToken token = new UsernamePasswordToken("user",
> "battle1");
>
>        user.login(token);
>
>        Session session = user.getSession();
>        session.setTimeout(0);
>
>        user.logout();
>
> The logout method causes the following exception to occur:
>
> Exception in thread "main" org.apache.shiro.session.ExpiredSessionException:
> Session with id [7c3d80f2-ae4c-49b5-9a2d-a2c0f39cd904] has expired. Last
> access time: 28/09/11 09:35.  Current time: 28/09/11 09:35.  Session timeout
> is set to 0 seconds (0 minutes)
>        at
> org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
>        at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
>        at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
>        at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
>        at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
>        at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
>        at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
>        at
> org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
>        at
> org.apache.shiro.subject.support.DelegatingSubject.logout(DelegatingSubject.java:322)
>        at
> com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:45)
>
> The only reason I'm calling setTimeout(0) is to simulate the session
> expiring due to a timeout that occurs in the system.  Why would the logout
> fail just because the session has expired?  How can I get around this issue?
>
> If I execute the following code:
>
>        Factory<org.apache.shiro.mgt.SecurityManager> factory =
>            new IniSecurityManagerFactory("vkb.ini");
>
>        org.apache.shiro.mgt.SecurityManager securityManager =
> factory.getInstance();
>        SecurityUtils.setSecurityManager(securityManager);
>
>        Subject user = SecurityUtils.getSubject();
>
>        UsernamePasswordToken token = new UsernamePasswordToken("user",
> "battle1");
>
>        user.login(token);
>        user.login(token);
>        user.login(token);
>        user.login(token);
>        user.login(token);
>
>        Session session = user.getSession();
>        session.setTimeout(0);
>
>        user.login(token);
>
> The last login command throws an exception with the following stack trace:
>
> Exception in thread "main" org.apache.shiro.session.ExpiredSessionException:
> Session with id [96aa8e29-4a55-4c79-be48-8ed90f49da85] has expired. Last
> access time: 28/09/11 09:41.  Current time: 28/09/11 09:41.  Session timeout
> is set to 0 seconds (0 minutes)
>        at
> org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
>        at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
>        at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
>        at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
>        at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
>        at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
>        at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
>        at
> org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
>        at
> org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
>        at
> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
>        at
> com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:49)
>
> Is this the same problem.  Why can't I login after the a session has
> expired?  How can I login after a session has expired?
>
> It is probably me misunderstanding the API but any help would be greatly
> appreciated.
>
> Best regards
>
> Matt
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Question-regarding-Sessions-tp6839424p6839424.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Mime
View raw message