shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Tran <dant...@gmail.com>
Subject Re: Starting shiro 1.2 securityManager.sessionManager.globalSessionTimeout = 1800000 no longer configurable
Date Tue, 08 May 2012 19:59:46 GMT
Thanks for clarification, so it is likely from my tomcat/mywebapp
side.  Let's trouble shoot this issue from my side.

Thanks again

-D

On Tue, May 8, 2012 at 11:54 AM, Les Hazlewood <lhazlewood@apache.org> wrote:
> P.S. I tried this in Shiro's sample web app:
>
> https://svn.apache.org/repos/asf/shiro/trunk/samples/web/
>
> (mvn jetty:run)
>
> I added <session-config> (2 minutes) to web.xml and it timed out properly.
>
> Flow:
> 1. Log in successfully
> 2. See the home page
> 3. Wait a few minutes
> 4. Click on the 'account page' link.
>
> Shiro redirected me to the login page because my previous 2-minute session
> had timed-out.
>
> This is using Jetty of course, but it should work identically in Tomcat or
> any other servlet container for that matter.
>
> HTH,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog
>
>
> On Tue, May 8, 2012 at 11:29 AM, Les Hazlewood <lhazlewood@apache.org>
> wrote:
>>
>> The default ServletContainerSessionManager implementation relies on
>> whatever config there is in web.xml.
>>
>> SHIRO-240 was closed because ServletContainerSessionManager no longer has
>> the notion of a globalSessionTimeout property - it doesn't even exist in its
>> class hierarchy because it can't honor it.  After removing that property
>> from its class hierarchy, it became 100% dependent upon the servlet
>> container's behavior.
>>
>> I'd be curious if you find anything when enabling logging in your servlet
>> container to see what is going on.  Which one are you using?
>>
>> Regards,
>>
>> Les
>>
>>
>> On Mon, May 7, 2012 at 10:53 PM, Dan Tran <dantran@gmail.com> wrote:
>>>
>>> Hi Les,
>>>
>>> Not sure if my issue related to this
>>> https://issues.apache.org/jira/browse/SHIRO-240?
>>>
>>> Perhaps, i should reopen SHIRO-240?
>>>
>>> -Dan
>>>
>>> On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <lhazlewood@apache.org>
>>> wrote:
>>> > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <dantran@gmail.com> wrote:
>>> >>
>>> >> due to this config
>>> >>
>>> >>  <bean id="securityManager"
>>> >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
>>> >>    [....]
>>> >>    <property name="sessionManager.globalSessionTimeout"
>>> >> value="1800000" />
>>> >>    [....]
>>> >>  </bean>
>>> >
>>> > The above config is only valid if you've configured Shiro to use a
>>> > 'native' session manager.  By default, the DefaultWebSecurityManager
>>> > uses a Servlet Container-based session manager, which delegates all
>>> > session management behavior to the Servlet Container.
>>> >
>>> >> So I ended up to add this into my web.xml
>>> >>
>>> >>  <session-config>
>>> >>    <session-timeout>30</session-timeout>
>>> >>  </session-config>
>>> >>
>>> >> I dont think this is working either ( i change the value to 1 and
>>> >> session is not timing out after 1 minute )
>>> >
>>> > This appears to be correct.  I can't speak as to why your servlet
>>> > container wouldn't be honoring a 1-minute timeout, but this would be
>>> > out of Shiro's control since you're using Servlet Container-based
>>> > session management.
>>> >
>>> > HTH,
>>> >
>>> > --
>>> > Les Hazlewood
>>> > CTO, Stormpath | http://stormpath.com | 888.391.5282
>>> > twitter: @lhazlewood | http://twitter.com/lhazlewood
>>> > blog: http://leshazlewood.com
>>> > stormpath blog: http://www.stormpath.com/blog
>>
>>
>

Mime
View raw message