You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Tauren Mills <ta...@groovee.com> on 2011/02/08 04:18:50 UTC
UnknownSessionException when upgrading to Wicket 1.4.15 from Wicket
1.4.6 with Shiro 1.1.0
I'm seeing an exception when users log out of my Wicket application. It
seems that the session is being looked up again after it has already been
removed. See the exception below.
This was not happening when using Wicket 1.4.6, but when I upgrade to 1.4.15
I am getting exceptions. I have confirmed that simply changing wicket
versions makes the problem go away or start happening -- no other changes
are made to the app except upgrading Wicket.
I have this logic in my AuthenticatedSession class (extends wicket's
WebSession) that is called when a user requests to log out:
public boolean logout() {
log.info("Member logout:
"+SecurityUtils.getSubject().getPrincipal());
SecurityUtils.getSubject().logout();
if (SecurityUtils.getSubject().isAuthenticated())
dirty();
else
invalidate();
return true;
}
I can't even remember now why I have that isAuthenticated() test and logic
in there. At some point it must have done something, but maybe all I need
now is just:
SecurityUtils.getSubject().logout();
When I remove the if/then clause, I no longer get an exception. But I'm
confused why upgrading Wicket would cause this to happen, as it seems
unrelated.
Any thoughts on what's going on here?
Tauren
2011-02-08 00:58:06,478 WARN - AbstractHttpSessionStore - Error while
invalidating Session Store: Session already invalidated
java.lang.IllegalStateException:
org.apache.shiro.session.UnknownSessionException: There is no session with
id [939f87f4-ee49-4347-944c-82e5cb95bebb]
at
org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133)
at
org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210)
at org.apache.wicket.Session.invalidateNow(Session.java:882)
at org.apache.wicket.Session.detach(Session.java:1196)
at com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72)
at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481)
at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218)
at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462)
at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
at
org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486)
at
org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319)
at
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359)
at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
at
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at
org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at
org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at
org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
at
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
Caused by: org.apache.shiro.session.UnknownSessionException: There is no
session with id [939f87f4-ee49-4347-944c-82e5cb95bebb]
at
org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at
org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at
org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206)
at
org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
at
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
at
org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131)
... 38 more
Re: UnknownSessionException when upgrading to Wicket 1.4.15 from
Wicket 1.4.6 with Shiro 1.1.0
Posted by Les Hazlewood <lh...@apache.org>.
No prob Tauren - glad to help!
Best,
Les
On Tue, Feb 8, 2011 at 2:04 PM, Tauren Mills <ta...@groovee.com> wrote:
> Les,
> That's the same conclusion I came to. In fact, I'm not quite sure why that
> logic was in the logout method as it didn't seem to make sense. It was added
> long ago by another developer who is no longer on my team. I just wanted to
> make sure there wasn't something I was missing, so thanks for verifying
> this.
> Tauren
>
> On Tue, Feb 8, 2011 at 3:34 PM, Les Hazlewood <lh...@apache.org> wrote:
>>
>> Hi Tauren,
>>
>> It looks to me like the invalidate() method is, under the covers,
>> invalidating the session. subject.logout() already does this
>> automatically (if a subject logs out, it is fully expected that their
>> session should always be stopped). Calling both would cause a problem
>> since the 2nd call clearly attempts to invalidate a session that is
>> already invalidated (throwing the exception).
>>
>> Also, for this code sequence:
>>
>> SecurityUtils.getSubject().logout();
>> if (SecurityUtils.getSubject().isAuthenticated()) {
>> ...
>> }
>>
>> the isAuthenticated() check will _always_ return false. Once you log
>> out, the subject is no longer considered authenticated. So, just
>> reducing your code to this:
>>
>> SecurityUtils.getSubject().logout();
>> return true;
>>
>> should work in all cases.
>>
>> Because the SecurityUtils.getSubject().isAuthenticated() check was
>> always returning false, invalidate() was always being called. Clearly
>> the wicket team changed something in their invalidate() logic between
>> releases, but I couldn't say what that was.
>>
>> HTH!
>>
>> Cheers,
>>
>> --
>> Les Hazlewood
>> Founder, Katasoft, Inc.
>> Application Security Products & Professional Apache Shiro Support and
>> Training:
>> http://www.katasoft.com
>>
>> On Mon, Feb 7, 2011 at 7:18 PM, Tauren Mills <ta...@groovee.com> wrote:
>> > I'm seeing an exception when users log out of my Wicket application. It
>> > seems that the session is being looked up again after it has already
>> > been
>> > removed. See the exception below.
>> > This was not happening when using Wicket 1.4.6, but when I upgrade to
>> > 1.4.15
>> > I am getting exceptions. I have confirmed that simply changing wicket
>> > versions makes the problem go away or start happening -- no other
>> > changes
>> > are made to the app except upgrading Wicket.
>> > I have this logic in my AuthenticatedSession class (extends wicket's
>> > WebSession) that is called when a user requests to log out:
>> > public boolean logout() {
>> > log.info("Member logout:
>> > "+SecurityUtils.getSubject().getPrincipal());
>> > SecurityUtils.getSubject().logout();
>> > if (SecurityUtils.getSubject().isAuthenticated())
>> > dirty();
>> > else
>> > invalidate();
>> > return true;
>> > }
>> > I can't even remember now why I have that isAuthenticated() test and
>> > logic
>> > in there. At some point it must have done something, but maybe all I
>> > need
>> > now is just:
>> > SecurityUtils.getSubject().logout();
>> > When I remove the if/then clause, I no longer get an exception. But I'm
>> > confused why upgrading Wicket would cause this to happen, as it seems
>> > unrelated.
>> > Any thoughts on what's going on here?
>> > Tauren
>> >
>> > 2011-02-08 00:58:06,478 WARN - AbstractHttpSessionStore - Error while
>> > invalidating Session Store: Session already invalidated
>> > java.lang.IllegalStateException:
>> > org.apache.shiro.session.UnknownSessionException: There is no session
>> > with
>> > id [939f87f4-ee49-4347-944c-82e5cb95bebb]
>> > at
>> >
>> > org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133)
>> > at
>> >
>> > org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210)
>> > at org.apache.wicket.Session.invalidateNow(Session.java:882)
>> > at org.apache.wicket.Session.detach(Session.java:1196)
>> > at
>> > com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72)
>> > at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481)
>> > at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218)
>> > at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462)
>> > at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
>> > at
>> > org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486)
>> > at
>> >
>> > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319)
>> > at
>> >
>> > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
>> > at
>> >
>> > org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359)
>> > at
>> >
>> > org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275)
>> > at
>> >
>> > org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>> > at
>> >
>> > org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>> > at
>> >
>> > org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344)
>> > at
>> >
>> > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272)
>> > at
>> >
>> > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
>> > at
>> >
>> > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
>> > at
>> >
>> > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
>> > at
>> >
>> > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
>> > at
>> >
>> > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
>> > at
>> >
>> > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>> > at
>> >
>> > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
>> > at
>> > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
>> > at
>> >
>> > org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
>> > at
>> > org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
>> > at
>> > org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729)
>> > at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
>> > at
>> > org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
>> > at org.mortbay.jetty.Server.handle(Server.java:324)
>> > at
>> > org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
>> > at
>> >
>> > org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
>> > at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513)
>> > at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
>> > at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
>> > at
>> >
>> > org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
>> > at
>> >
>> > org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
>> > Caused by: org.apache.shiro.session.UnknownSessionException: There is no
>> > session with id [939f87f4-ee49-4347-944c-82e5cb95bebb]
>> > at
>> >
>> > org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
>> > at
>> >
>> > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
>> > at
>> >
>> > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
>> > at
>> >
>> > org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
>> > at
>> >
>> > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
>> > at
>> >
>> > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
>> > at
>> >
>> > org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206)
>> > at
>> >
>> > org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
>> > at
>> >
>> > org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
>> > at
>> >
>> > org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131)
>> > ... 38 more
Re: UnknownSessionException when upgrading to Wicket 1.4.15 from
Wicket 1.4.6 with Shiro 1.1.0
Posted by Tauren Mills <ta...@groovee.com>.
Les,
That's the same conclusion I came to. In fact, I'm not quite sure why that
logic was in the logout method as it didn't seem to make sense. It was added
long ago by another developer who is no longer on my team. I just wanted to
make sure there wasn't something I was missing, so thanks for verifying
this.
Tauren
On Tue, Feb 8, 2011 at 3:34 PM, Les Hazlewood <lh...@apache.org> wrote:
> Hi Tauren,
>
> It looks to me like the invalidate() method is, under the covers,
> invalidating the session. subject.logout() already does this
> automatically (if a subject logs out, it is fully expected that their
> session should always be stopped). Calling both would cause a problem
> since the 2nd call clearly attempts to invalidate a session that is
> already invalidated (throwing the exception).
>
> Also, for this code sequence:
>
> SecurityUtils.getSubject().logout();
> if (SecurityUtils.getSubject().isAuthenticated()) {
> ...
> }
>
> the isAuthenticated() check will _always_ return false. Once you log
> out, the subject is no longer considered authenticated. So, just
> reducing your code to this:
>
> SecurityUtils.getSubject().logout();
> return true;
>
> should work in all cases.
>
> Because the SecurityUtils.getSubject().isAuthenticated() check was
> always returning false, invalidate() was always being called. Clearly
> the wicket team changed something in their invalidate() logic between
> releases, but I couldn't say what that was.
>
> HTH!
>
> Cheers,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and
> Training:
> http://www.katasoft.com
>
> On Mon, Feb 7, 2011 at 7:18 PM, Tauren Mills <ta...@groovee.com> wrote:
> > I'm seeing an exception when users log out of my Wicket application. It
> > seems that the session is being looked up again after it has already been
> > removed. See the exception below.
> > This was not happening when using Wicket 1.4.6, but when I upgrade to
> 1.4.15
> > I am getting exceptions. I have confirmed that simply changing wicket
> > versions makes the problem go away or start happening -- no other changes
> > are made to the app except upgrading Wicket.
> > I have this logic in my AuthenticatedSession class (extends wicket's
> > WebSession) that is called when a user requests to log out:
> > public boolean logout() {
> > log.info("Member logout:
> > "+SecurityUtils.getSubject().getPrincipal());
> > SecurityUtils.getSubject().logout();
> > if (SecurityUtils.getSubject().isAuthenticated())
> > dirty();
> > else
> > invalidate();
> > return true;
> > }
> > I can't even remember now why I have that isAuthenticated() test and
> logic
> > in there. At some point it must have done something, but maybe all I need
> > now is just:
> > SecurityUtils.getSubject().logout();
> > When I remove the if/then clause, I no longer get an exception. But I'm
> > confused why upgrading Wicket would cause this to happen, as it seems
> > unrelated.
> > Any thoughts on what's going on here?
> > Tauren
> >
> > 2011-02-08 00:58:06,478 WARN - AbstractHttpSessionStore - Error while
> > invalidating Session Store: Session already invalidated
> > java.lang.IllegalStateException:
> > org.apache.shiro.session.UnknownSessionException: There is no session
> with
> > id [939f87f4-ee49-4347-944c-82e5cb95bebb]
> > at
> >
> org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133)
> > at
> >
> org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210)
> > at org.apache.wicket.Session.invalidateNow(Session.java:882)
> > at org.apache.wicket.Session.detach(Session.java:1196)
> > at
> com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72)
> > at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481)
> > at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218)
> > at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462)
> > at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
> > at
> org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486)
> > at
> >
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319)
> > at
> >
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> > at
> >
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359)
> > at
> >
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275)
> > at
> >
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> > at
> >
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> > at
> >
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344)
> > at
> >
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272)
> > at
> >
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> > at
> >
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> > at
> >
> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
> > at
> >
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> > at
> >
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> > at
> org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
> > at
> >
> org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> > at
> org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
> > at
> org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729)
> > at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
> > at
> org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> > at org.mortbay.jetty.Server.handle(Server.java:324)
> > at
> org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> > at
> >
> org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
> > at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513)
> > at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> > at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> > at
> >
> org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
> > at
> >
> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
> > Caused by: org.apache.shiro.session.UnknownSessionException: There is no
> > session with id [939f87f4-ee49-4347-944c-82e5cb95bebb]
> > at
> >
> org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
> > at
> >
> org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
> > at
> >
> org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
> > at
> >
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
> > at
> >
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
> > at
> >
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
> > at
> >
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206)
> > at
> >
> org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
> > at
> >
> org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
> > at
> >
> org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131)
> > ... 38 more
>
Re: UnknownSessionException when upgrading to Wicket 1.4.15 from
Wicket 1.4.6 with Shiro 1.1.0
Posted by Les Hazlewood <lh...@apache.org>.
Hi Tauren,
It looks to me like the invalidate() method is, under the covers,
invalidating the session. subject.logout() already does this
automatically (if a subject logs out, it is fully expected that their
session should always be stopped). Calling both would cause a problem
since the 2nd call clearly attempts to invalidate a session that is
already invalidated (throwing the exception).
Also, for this code sequence:
SecurityUtils.getSubject().logout();
if (SecurityUtils.getSubject().isAuthenticated()) {
...
}
the isAuthenticated() check will _always_ return false. Once you log
out, the subject is no longer considered authenticated. So, just
reducing your code to this:
SecurityUtils.getSubject().logout();
return true;
should work in all cases.
Because the SecurityUtils.getSubject().isAuthenticated() check was
always returning false, invalidate() was always being called. Clearly
the wicket team changed something in their invalidate() logic between
releases, but I couldn't say what that was.
HTH!
Cheers,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Mon, Feb 7, 2011 at 7:18 PM, Tauren Mills <ta...@groovee.com> wrote:
> I'm seeing an exception when users log out of my Wicket application. It
> seems that the session is being looked up again after it has already been
> removed. See the exception below.
> This was not happening when using Wicket 1.4.6, but when I upgrade to 1.4.15
> I am getting exceptions. I have confirmed that simply changing wicket
> versions makes the problem go away or start happening -- no other changes
> are made to the app except upgrading Wicket.
> I have this logic in my AuthenticatedSession class (extends wicket's
> WebSession) that is called when a user requests to log out:
> public boolean logout() {
> log.info("Member logout:
> "+SecurityUtils.getSubject().getPrincipal());
> SecurityUtils.getSubject().logout();
> if (SecurityUtils.getSubject().isAuthenticated())
> dirty();
> else
> invalidate();
> return true;
> }
> I can't even remember now why I have that isAuthenticated() test and logic
> in there. At some point it must have done something, but maybe all I need
> now is just:
> SecurityUtils.getSubject().logout();
> When I remove the if/then clause, I no longer get an exception. But I'm
> confused why upgrading Wicket would cause this to happen, as it seems
> unrelated.
> Any thoughts on what's going on here?
> Tauren
>
> 2011-02-08 00:58:06,478 WARN - AbstractHttpSessionStore - Error while
> invalidating Session Store: Session already invalidated
> java.lang.IllegalStateException:
> org.apache.shiro.session.UnknownSessionException: There is no session with
> id [939f87f4-ee49-4347-944c-82e5cb95bebb]
> at
> org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133)
> at
> org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210)
> at org.apache.wicket.Session.invalidateNow(Session.java:882)
> at org.apache.wicket.Session.detach(Session.java:1196)
> at com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72)
> at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481)
> at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218)
> at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462)
> at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
> at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486)
> at
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319)
> at
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> at
> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
> at
> org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729)
> at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:324)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> at
> org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> at
> org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
> at
> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
> Caused by: org.apache.shiro.session.UnknownSessionException: There is no
> session with id [939f87f4-ee49-4347-944c-82e5cb95bebb]
> at
> org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
> at
> org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
> at
> org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
> at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
> at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
> at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
> at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206)
> at
> org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
> at
> org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
> at
> org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131)
> ... 38 more