You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by jvreeker <jv...@vangennep.nl> on 2009/01/20 14:50:56 UTC
Session Expiration
I have some problems with expiration of a session.
I created a login function.
Subject currentUser = securityManager.getSubject();
if (!currentUser.isAuthenticated())
{
currentUser.login(usernamePasswordToken);
Session s = currentUser.getSession();
s.setTimeout( 600000);
s.setAttribute(CacheConstants.USEROBJECT, tmpData);
}
So timeout is 10 minutes.
If I wait for more than 10 minutes and login again with the same user I
always get ExpiredSessionException.
How can I remove this session and login again and create a new Session.
Thanks,
Jelle
--
View this message in context: http://n2.nabble.com/Session-Expiration-tp2186574p2186574.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Session Expiration
Posted by ankur <an...@gmail.com>.
Hello,
I have hit the same problem. Is there any other workaround for this problem
except extending SecurityManager??
Thanks
Ankur
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Session-Expiration-tp2186574p7578016.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Session Expiration
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jelle,
Look at this test class for a usage scenario:
http://svn.apache.org/repos/asf/incubator/jsecurity/trunk/core/test/org/jsecurity/mgt/DefaultSecurityManagerTest.java
Specifically the "autoCreateSessionAfterInvalidation" test case.
A note of clarification too:
Application Developers should be using the Subject/Session API (as shown in
the above test case) instead of interacting with the SecurityManager
directly.
Framework Developers on the other hand, focusing on framework/integration
code, might find working with the SecurityManager directly useful, but it
rarely needs to be accessed by Application Developers.
Does the above test code help? It basically asserts that a Session will be
transparently re-created automatically without throwing an Exception to the
application developer. This is verified by the fact that session.getId()
returns a different ID than the one that was first acquired before the
session timed out.
Were you looking for something else? This behavior is essentially what
happens in servlet environments, which is why I've carried over the same
behavior in a non-servlet environment - principal of 'least surprise' for
application developers that are comfortable with that behavior. Please let
us know if there would be some behavior that makes more sense to you if the
current behavior does not.
Regards,
Les
On Mon, Jan 26, 2009 at 11:52 AM, jvreeker <jv...@vangennep.nl> wrote:
>
> Hi les,
>
> I am a little bit confused. I am using the 1.0 version.
> But A user logs in and the for a while he doesn't do anything. So session
> is
> expired.
> No he Logs in again so the Subject is still available only session is
> expired. how can I check if the session is invalid.
>
> Problem is that I Get an ReplaceSessionException somewhere in the server
> when I check if the SessionID is valid. But I need to know this when a user
> logs in again. So I can send the right session ID back.
>
> Thanks,
>
> Jelle
> --
> View this message in context:
> http://n2.nabble.com/Session-Expiration-tp2186574p2219071.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: Session Expiration
Posted by jvreeker <jv...@vangennep.nl>.
Hi les,
I am a little bit confused. I am using the 1.0 version.
But A user logs in and the for a while he doesn't do anything. So session is
expired.
No he Logs in again so the Subject is still available only session is
expired. how can I check if the session is invalid.
Problem is that I Get an ReplaceSessionException somewhere in the server
when I check if the SessionID is valid. But I need to know this when a user
logs in again. So I can send the right session ID back.
Thanks,
Jelle
--
View this message in context: http://n2.nabble.com/Session-Expiration-tp2186574p2219071.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Session Expiration
Posted by Les Hazlewood <lh...@apache.org>.
Sorry, I meant to write 'SecurityManager', not 'SubjectManager'.
In any event, I resolved that issue last night, with the functionality in
place. You could try to check-out the project and build it yourself if you
want to live on the 'bleeding edge'. Be aware though that odds are high
that things will change prior to the 1.0 release, but at least you can move
forward and then maybe change any necessary application code when 1.0 is
released.
Regards,
Les
On Mon, Jan 26, 2009 at 9:30 AM, jvreeker <jv...@vangennep.nl> wrote:
>
> Hi Les,
> I don't know how to implement something like the SubjectManager, can you
> give a short example of that
> Thanks,
>
> Jelle
>
>
> Les Hazlewood-2 wrote:
> >
> > Hi Jelle,
> >
> > In a web-environment, the JSecurityFilter does some automatic logic:
> >
> > when a request comes in, it tries to acquire the session associated with
> > the
> > request. If the session is expired (catches an ExpiredSessionException),
> > it
> > automatically creates a new one.
> >
> > The DefaultSecurityManager, used in a non-web environment, does not
> > currently automatically perform this 'auto create if expired' logic.
> I've
> > added a Jira issue to track this:
> > https://issues.apache.org/jira/browse/JSEC-46 as I feel it would be a
> > worthwhile improvement.
> >
> > In the meantime, you could always have a wrapper SubjectManager that you
> > interact with in your application that wraps the Subject.* calls (this is
> > a
> > good idea anyway, as it abstracts JSecurity's API away from your
> > application). In that implementation, you could catch any
> > InvalidSessionException and then automatically create a new session and
> > return that.
> >
> > Please subscribe to the Jira issue if you want to see when the
> > functionality
> > will be available.
> >
> > Cheers,
> >
> > Les
> >
> > On Tue, Jan 20, 2009 at 10:05 AM, jvreeker <jv...@vangennep.nl>
> wrote:
> >
> >>
> >> I am using a spring service and hibernate.
> >>
> >> I have a credentialsMatcher that is using a DAO to check if the user
> >> exsist
> >> in the DB.
> >> I think i forget something!
> >>
> >> Jelle
> >>
> >>
> >> Les Hazlewood-2 wrote:
> >> >
> >> > Hi Jelle,
> >> >
> >> > What environment are you running in? Is this a web application or
> >> > business-tier/standalone?
> >> >
> >> > Thanks,
> >> >
> >> > Les
> >> >
> >> > On Tue, Jan 20, 2009 at 8:50 AM, jvreeker <jv...@vangennep.nl>
> >> wrote:
> >> >
> >> >>
> >> >> I have some problems with expiration of a session.
> >> >> I created a login function.
> >> >>
> >> >> Subject currentUser = securityManager.getSubject();
> >> >> if (!currentUser.isAuthenticated())
> >> >> {
> >> >> currentUser.login(usernamePasswordToken);
> >> >>
> >> >> Session s = currentUser.getSession();
> >> >>
> >> >> s.setTimeout( 600000);
> >> >> s.setAttribute(CacheConstants.USEROBJECT, tmpData);
> >> >> }
> >> >> So timeout is 10 minutes.
> >> >> If I wait for more than 10 minutes and login again with the same user
> >> I
> >> >> always get ExpiredSessionException.
> >> >> How can I remove this session and login again and create a new
> >> Session.
> >> >>
> >> >> Thanks,
> >> >> Jelle
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >> http://n2.nabble.com/Session-Expiration-tp2186574p2186574.html
> >> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >> http://n2.nabble.com/Session-Expiration-tp2186574p2186919.html
> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/Session-Expiration-tp2186574p2218186.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: Session Expiration
Posted by jvreeker <jv...@vangennep.nl>.
Hi Les,
I don't know how to implement something like the SubjectManager, can you
give a short example of that
Thanks,
Jelle
Les Hazlewood-2 wrote:
>
> Hi Jelle,
>
> In a web-environment, the JSecurityFilter does some automatic logic:
>
> when a request comes in, it tries to acquire the session associated with
> the
> request. If the session is expired (catches an ExpiredSessionException),
> it
> automatically creates a new one.
>
> The DefaultSecurityManager, used in a non-web environment, does not
> currently automatically perform this 'auto create if expired' logic. I've
> added a Jira issue to track this:
> https://issues.apache.org/jira/browse/JSEC-46 as I feel it would be a
> worthwhile improvement.
>
> In the meantime, you could always have a wrapper SubjectManager that you
> interact with in your application that wraps the Subject.* calls (this is
> a
> good idea anyway, as it abstracts JSecurity's API away from your
> application). In that implementation, you could catch any
> InvalidSessionException and then automatically create a new session and
> return that.
>
> Please subscribe to the Jira issue if you want to see when the
> functionality
> will be available.
>
> Cheers,
>
> Les
>
> On Tue, Jan 20, 2009 at 10:05 AM, jvreeker <jv...@vangennep.nl> wrote:
>
>>
>> I am using a spring service and hibernate.
>>
>> I have a credentialsMatcher that is using a DAO to check if the user
>> exsist
>> in the DB.
>> I think i forget something!
>>
>> Jelle
>>
>>
>> Les Hazlewood-2 wrote:
>> >
>> > Hi Jelle,
>> >
>> > What environment are you running in? Is this a web application or
>> > business-tier/standalone?
>> >
>> > Thanks,
>> >
>> > Les
>> >
>> > On Tue, Jan 20, 2009 at 8:50 AM, jvreeker <jv...@vangennep.nl>
>> wrote:
>> >
>> >>
>> >> I have some problems with expiration of a session.
>> >> I created a login function.
>> >>
>> >> Subject currentUser = securityManager.getSubject();
>> >> if (!currentUser.isAuthenticated())
>> >> {
>> >> currentUser.login(usernamePasswordToken);
>> >>
>> >> Session s = currentUser.getSession();
>> >>
>> >> s.setTimeout( 600000);
>> >> s.setAttribute(CacheConstants.USEROBJECT, tmpData);
>> >> }
>> >> So timeout is 10 minutes.
>> >> If I wait for more than 10 minutes and login again with the same user
>> I
>> >> always get ExpiredSessionException.
>> >> How can I remove this session and login again and create a new
>> Session.
>> >>
>> >> Thanks,
>> >> Jelle
>> >>
>> >> --
>> >> View this message in context:
>> >> http://n2.nabble.com/Session-Expiration-tp2186574p2186574.html
>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/Session-Expiration-tp2186574p2186919.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/Session-Expiration-tp2186574p2218186.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Session Expiration
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jelle,
In a web-environment, the JSecurityFilter does some automatic logic:
when a request comes in, it tries to acquire the session associated with the
request. If the session is expired (catches an ExpiredSessionException), it
automatically creates a new one.
The DefaultSecurityManager, used in a non-web environment, does not
currently automatically perform this 'auto create if expired' logic. I've
added a Jira issue to track this:
https://issues.apache.org/jira/browse/JSEC-46 as I feel it would be a
worthwhile improvement.
In the meantime, you could always have a wrapper SubjectManager that you
interact with in your application that wraps the Subject.* calls (this is a
good idea anyway, as it abstracts JSecurity's API away from your
application). In that implementation, you could catch any
InvalidSessionException and then automatically create a new session and
return that.
Please subscribe to the Jira issue if you want to see when the functionality
will be available.
Cheers,
Les
On Tue, Jan 20, 2009 at 10:05 AM, jvreeker <jv...@vangennep.nl> wrote:
>
> I am using a spring service and hibernate.
>
> I have a credentialsMatcher that is using a DAO to check if the user exsist
> in the DB.
> I think i forget something!
>
> Jelle
>
>
> Les Hazlewood-2 wrote:
> >
> > Hi Jelle,
> >
> > What environment are you running in? Is this a web application or
> > business-tier/standalone?
> >
> > Thanks,
> >
> > Les
> >
> > On Tue, Jan 20, 2009 at 8:50 AM, jvreeker <jv...@vangennep.nl> wrote:
> >
> >>
> >> I have some problems with expiration of a session.
> >> I created a login function.
> >>
> >> Subject currentUser = securityManager.getSubject();
> >> if (!currentUser.isAuthenticated())
> >> {
> >> currentUser.login(usernamePasswordToken);
> >>
> >> Session s = currentUser.getSession();
> >>
> >> s.setTimeout( 600000);
> >> s.setAttribute(CacheConstants.USEROBJECT, tmpData);
> >> }
> >> So timeout is 10 minutes.
> >> If I wait for more than 10 minutes and login again with the same user I
> >> always get ExpiredSessionException.
> >> How can I remove this session and login again and create a new Session.
> >>
> >> Thanks,
> >> Jelle
> >>
> >> --
> >> View this message in context:
> >> http://n2.nabble.com/Session-Expiration-tp2186574p2186574.html
> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/Session-Expiration-tp2186574p2186919.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: Session Expiration
Posted by jvreeker <jv...@vangennep.nl>.
I am using a spring service and hibernate.
I have a credentialsMatcher that is using a DAO to check if the user exsist
in the DB.
I think i forget something!
Jelle
Les Hazlewood-2 wrote:
>
> Hi Jelle,
>
> What environment are you running in? Is this a web application or
> business-tier/standalone?
>
> Thanks,
>
> Les
>
> On Tue, Jan 20, 2009 at 8:50 AM, jvreeker <jv...@vangennep.nl> wrote:
>
>>
>> I have some problems with expiration of a session.
>> I created a login function.
>>
>> Subject currentUser = securityManager.getSubject();
>> if (!currentUser.isAuthenticated())
>> {
>> currentUser.login(usernamePasswordToken);
>>
>> Session s = currentUser.getSession();
>>
>> s.setTimeout( 600000);
>> s.setAttribute(CacheConstants.USEROBJECT, tmpData);
>> }
>> So timeout is 10 minutes.
>> If I wait for more than 10 minutes and login again with the same user I
>> always get ExpiredSessionException.
>> How can I remove this session and login again and create a new Session.
>>
>> Thanks,
>> Jelle
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/Session-Expiration-tp2186574p2186574.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/Session-Expiration-tp2186574p2186919.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: Session Expiration
Posted by Les Hazlewood <lh...@apache.org>.
Hi Jelle,
What environment are you running in? Is this a web application or
business-tier/standalone?
Thanks,
Les
On Tue, Jan 20, 2009 at 8:50 AM, jvreeker <jv...@vangennep.nl> wrote:
>
> I have some problems with expiration of a session.
> I created a login function.
>
> Subject currentUser = securityManager.getSubject();
> if (!currentUser.isAuthenticated())
> {
> currentUser.login(usernamePasswordToken);
>
> Session s = currentUser.getSession();
>
> s.setTimeout( 600000);
> s.setAttribute(CacheConstants.USEROBJECT, tmpData);
> }
> So timeout is 10 minutes.
> If I wait for more than 10 minutes and login again with the same user I
> always get ExpiredSessionException.
> How can I remove this session and login again and create a new Session.
>
> Thanks,
> Jelle
>
> --
> View this message in context:
> http://n2.nabble.com/Session-Expiration-tp2186574p2186574.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>