You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by John Moore <gr...@jmsd.co.uk> on 2013/01/17 20:29:20 UTC
What might cause an UnknownSessionException?
I'm having a very difficult time trying to debug a Grails 2.2.0 application
which uses Shiro (1.1.4, via the plugin). For some reason which is
completely mysterious to me, whenever I call the following code, to log out
the current user, I get an UnknownSessionException.
This is the stacktrace:
Message: org.apache.shiro.session.UnknownSessionException: There is no
session with id [74639e50-5928-4c31-b92a-ca582f49d4d4]
Line | Method
->> 133 | getAttribute in org.apache.shiro.web.servlet.ShiroHttpSession
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 195 | doFilter in
grails.plugin.cache.web.filter.PageFragmentCachingFilter
| 63 | doFilter . . . . in grails.plugin.cache.web.filter.AbstractFilter
| 55 | doFilter in org.apache.shiro.grails.SavedRequestFilter
| 449 | executeChain . . in
org.apache.shiro.web.servlet.AbstractShiroFilter
| 365 | call in
org.apache.shiro.web.servlet.AbstractShiroFilter$1
| 90 | doCall . . . . . in
org.apache.shiro.subject.support.SubjectCallable
| 83 | call in ''
| 380 | execute . . . . in
org.apache.shiro.subject.support.DelegatingSubject
| 362 | doFilterInternal in
org.apache.shiro.web.servlet.AbstractShiroFilter
| 125 | doFilter . . . . in
org.apache.shiro.web.servlet.OncePerRequestFilter
| 886 | runTask in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run . . . . . . in ''
^ 662 | run in java.lang.Thread
Caused by UnknownSessionException: There is no session with id
[74639e50-5928-4c31-b92a-ca582f49d4d4]
->> 170 | readSession in
org.apache.shiro.session.mgt.eis.AbstractSessionDAO
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 236 | retrieveSessionFromDataSource in
org.apache.shiro.session.mgt.DefaultSessionManager
| 222 | retrieveSession in ''
| 118 | doGetSession in
org.apache.shiro.session.mgt.AbstractValidatingSessionManager
| 105 | lookupSession . in
org.apache.shiro.session.mgt.AbstractNativeSessionManager
| 109 | lookupRequiredSession in ''
| 206 | getAttribute . . in ''
| 141 | getAttribute in org.apache.shiro.session.mgt.DelegatingSession
| 121 | getAttribute . . in org.apache.shiro.session.ProxiedSession
| 131 | getAttribute in org.apache.shiro.web.servlet.ShiroHttpSession
| 195 | doFilter . . . . in
grails.plugin.cache.web.filter.PageFragmentCachingFilter
| 63 | doFilter in grails.plugin.cache.web.filter.AbstractFilter
| 55 | doFilter . . . . in org.apache.shiro.grails.SavedRequestFilter
| 449 | executeChain in
org.apache.shiro.web.servlet.AbstractShiroFilter
| 365 | call . . . . . . in
org.apache.shiro.web.servlet.AbstractShiroFilter$1
| 90 | doCall in
org.apache.shiro.subject.support.SubjectCallable
| 83 | call . . . . . . in ''
| 380 | execute in
org.apache.shiro.subject.support.DelegatingSubject
| 362 | doFilterInternal in
org.apache.shiro.web.servlet.AbstractShiroFilter
| 125 | doFilter in
org.apache.shiro.web.servlet.OncePerRequestFilter
| 886 | runTask . . . . in java.util.concurrent.ThreadPoolExecutor$Worker
| 908 | run in ''
^ 662 | run . . . . . . in java.lang.Thread
The strangest thing is that in a newly created Grails 2.2.0 app, with
apparently identical code, no such error is thrown. I cannot for the life of
me work out where the difference might be.
So, what kind of conditions might cause such an exception?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by John Moore <gr...@jmsd.co.uk>.
I don't think that's what's happening in my case - I'm just doing a redirect
to the home page. If you have Grails 2.2.0 installed, you can see it in
action in this little demo Grails app:
https://dl.dropbox.com/u/482435/shirotest220.zip
1. Go to /auth/login. Log in as 'test'/'test.
2. Go to /auth/signOut. You will see the stack trace. signOut in
AuthController will show you the code. It's nothing at all special - it
really just seems that there's some clash with native sessions with session
handling in Grails 2 (and seemingly Vaadin as well).
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578193.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by Les Hazlewood <lh...@apache.org>.
Hi John,
I'm happy to look at this when I can dedicate a bit more time - we're
slammed with new customers and preparing for another release, but I'll do
my best to make some time!
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Thu, Jan 24, 2013 at 7:01 AM, John Moore <gr...@jmsd.co.uk> wrote:
> If you get the chance to have a look at this some time, Les, it would be
> appreciated.
>
> The good news in the meantime, though, is that I have come up with a simple
> workaround which appears to do the job of effectively logging an
> authenticated user out without triggering the UnknownSessionException. In
> my
> signout method, instead of calling SecurityUtils.getSubject().logout(), I
> simply delete all the existing session attributes (loop through
> session.getAttributeNames()), which leaves the session 'empty' rather than
> invalidating it. This means that whatever it is further up the filter chain
> which is flipping out because it can't find the session identified in the
> request cookie will be happy - the session is there, but no longer contains
> the authentication information so that any further request will cause a
> redirect to the login page again.
>
> I have chosen to remove all session attributes, as opposed to just the ones
> associated with authentication, which appear to be these two:
>
>
> org.apache.shiro.subject.support.DefaultSubjectContext_AUTHENTICATED_SESSION_KEY
>
> org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY
>
> That's because in this app, there are no actions which do not require a
> user
> to be logged in, so it makes sense to clear out as much memory as possible
> when the user logs out.
>
> If anyone can see any obvious pitfalls with this approach, please let me
> know...
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578202.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: What might cause an UnknownSessionException?
Posted by John Moore <gr...@jmsd.co.uk>.
If you get the chance to have a look at this some time, Les, it would be
appreciated.
The good news in the meantime, though, is that I have come up with a simple
workaround which appears to do the job of effectively logging an
authenticated user out without triggering the UnknownSessionException. In my
signout method, instead of calling SecurityUtils.getSubject().logout(), I
simply delete all the existing session attributes (loop through
session.getAttributeNames()), which leaves the session 'empty' rather than
invalidating it. This means that whatever it is further up the filter chain
which is flipping out because it can't find the session identified in the
request cookie will be happy - the session is there, but no longer contains
the authentication information so that any further request will cause a
redirect to the login page again.
I have chosen to remove all session attributes, as opposed to just the ones
associated with authentication, which appear to be these two:
org.apache.shiro.subject.support.DefaultSubjectContext_AUTHENTICATED_SESSION_KEY
org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY
That's because in this app, there are no actions which do not require a user
to be logged in, so it makes sense to clear out as much memory as possible
when the user logs out.
If anyone can see any obvious pitfalls with this approach, please let me
know...
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578202.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by John Moore <gr...@jmsd.co.uk>.
Just to re-emphasize some important points with this:
1. I am, in fact, doing a redirect to the home page immediately after the
logout call. It never gets there, though, because the exception occurs
somewhere along the filter chain.
2. The exact same code, with the exact same Shiro version, worked in Grails
1.3.9, but doesn't in Grails 2.x. So something has changed in the way Grails
is handling sessions (?) with resulting problems for Shiro native sessions.
I'm trying to work out what that might be, to see if I can effect a
workaround. (I've asked about this over on the Grails mailing list too).
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578196.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by Eduard Neuwirt <ed...@gmail.com>.
Hi Les,
I think you got this. It seems to be the error scenario I am facing with
Vaadin too. I will try to find an simple example.
Thanks Eduard
On 21-Jan-13 23:11, Les Hazlewood wrote:
> Hi John,
>
> I *think* I might know how this might occur:
>
> If you call logout() it terminates the backing session. If, later,
> during the same thread execution (but before the response is
> complete), a new subject instance is created or someone/something
> attempts to create a new session using the session id of the session
> that was just terminated, this exception would likely occur.
>
> Most people issue a redirect immediately after calling
> subject.logout() to ensure that potential things 'further down' the
> stack don't attempt to use or create a new session.
>
> Now, I don't know if this is exactly what is occurring in your case,
> but it's a hunch. If anyone has a sample web app that can re-create
> this, I can give it a more in-depth look as soon as I'm able.
>
> HTH,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
> Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
>
>
> On Mon, Jan 21, 2013 at 10:25 AM, John Moore <grails@jmsd.co.uk
> <ma...@jmsd.co.uk>> wrote:
>
> Still struggling with this. Forget what I said in the first post -
> this is
> completely reproducible in a new web application. It's some
> interaction
> between Shiro native sessions and Grails, which changed between
> Grails 1.3.x
> and Grails 2. In Grails 2, when native sessions are used,
> SecurityUtils.getSubject().logout() causes the
> UnknownSessionException when
> the response is rendered. With Grails 1.3.x this works fine.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578187.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
>
Re: What might cause an UnknownSessionException?
Posted by Les Hazlewood <lh...@apache.org>.
Hi John,
I *think* I might know how this might occur:
If you call logout() it terminates the backing session. If, later, during
the same thread execution (but before the response is complete), a new
subject instance is created or someone/something attempts to create a new
session using the session id of the session that was just terminated, this
exception would likely occur.
Most people issue a redirect immediately after calling subject.logout() to
ensure that potential things 'further down' the stack don't attempt to use
or create a new session.
Now, I don't know if this is exactly what is occurring in your case, but
it's a hunch. If anyone has a sample web app that can re-create this, I
can give it a more in-depth look as soon as I'm able.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Mon, Jan 21, 2013 at 10:25 AM, John Moore <gr...@jmsd.co.uk> wrote:
> Still struggling with this. Forget what I said in the first post - this is
> completely reproducible in a new web application. It's some interaction
> between Shiro native sessions and Grails, which changed between Grails
> 1.3.x
> and Grails 2. In Grails 2, when native sessions are used,
> SecurityUtils.getSubject().logout() causes the UnknownSessionException when
> the response is rendered. With Grails 1.3.x this works fine.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578187.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: What might cause an UnknownSessionException?
Posted by John Moore <gr...@jmsd.co.uk>.
Eduard Neuwirt-2 wrote
> Hi,
> I am getting the same problem with vaadin too. No idea what is the cause.
Interesting! I wonder whether the problem lies perhaps in some new servlet
feature, say, that Grails 2 and Vaadin are using?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578189.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by Eduard Neuwirt <ed...@gmail.com>.
Hi,
I am getting the same problem with vaadin too. No idea what is the cause.
Regards
Eduard
Am 21.01.2013 um 19:25 schrieb John Moore <gr...@jmsd.co.uk>:
> Still struggling with this. Forget what I said in the first post - this is
> completely reproducible in a new web application. It's some interaction
> between Shiro native sessions and Grails, which changed between Grails 1.3.x
> and Grails 2. In Grails 2, when native sessions are used,
> SecurityUtils.getSubject().logout() causes the UnknownSessionException when
> the response is rendered. With Grails 1.3.x this works fine.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578187.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by John Moore <gr...@jmsd.co.uk>.
Still struggling with this. Forget what I said in the first post - this is
completely reproducible in a new web application. It's some interaction
between Shiro native sessions and Grails, which changed between Grails 1.3.x
and Grails 2. In Grails 2, when native sessions are used,
SecurityUtils.getSubject().logout() causes the UnknownSessionException when
the response is rendered. With Grails 1.3.x this works fine.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578187.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: What might cause an UnknownSessionException?
Posted by John Moore <gr...@jmsd.co.uk>.
I still haven't got to the bottom of this, but I've discovered a bit more
about the problem. It's not actually triggered by the logout method
(SecurityUtils.getSubject().logout()), but happens immediately afterwards.
The key bit in the stacktrace seems to be this:
Caused by UnknownSessionException: There is no session with id
[43608294-24be-478c-8082-de288379de13]
->> 170 | readSession in
org.apache.shiro.session.mgt.eis.AbstractSessionDAO
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 261 | readSession in
org.apache.shiro.session.mgt.eis.CachingSessionDAO
| 236 | retrieveSessionFromDataSource in
org.apache.shiro.session.mgt.DefaultSessionManager
It's trying to read the session from the SessionDAO and as there is no such
session, the exception occurs. But why should it be trying to read the
session from the SessionDAO at this point? My understanding is that the
cache mechanism in use should have deleted the session from the DAO as a
result of the logout call.
I'm using my own CacheManager implementation based on Redis, but the problem
occurs even if I disable this and just use the inbuilt cacheing mechanism.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/What-might-cause-an-UnknownSessionException-tp7578179p7578183.html
Sent from the Shiro User mailing list archive at Nabble.com.