You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Albert Kam <mo...@gmail.com> on 2013/07/13 14:03:39 UTC
My globalSessionTimeout doesnt work.
I am currently using shiro + spring for a web application, with these
setups :
- my own realm
- a custom sessionDAO
- in sessionManager, 1 hour of timeout, false on
the sessionValidationSchedulerEnabled as i'm making use a custom TTL
mechanism in the background
- enable the static methods of SecurityUtils by setting the securityManager
manually in the spring xml
- using native sessions instead of web sessions
- since im using native sessions, i dont deploy shiro filters (is this
wrong?)
One thing i notice is my session seems to timeout very quickly, only in a
matter of a few minutes, not per hour as globalSessionTimeout configuration
in the xml.
In the app, things are as normal, before login, isAuthenticated is false,
after login the subject is correct, the principal is fine, the session is
stored correctly, authentication works when doing login.
So, what i did is trying to find out how shiro manages to 'remember' who i
am in subsequent requests by printing out cookies + req headers. But i
found nothing that relates to shiro being enable to remember me.
I am still currenlty testing out with a single user.
Please share your insights on what could be the culprit here.
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: My globalSessionTimeout doesnt work.
Posted by Nagaraju Kurma <na...@enhancesys.com>.
else try like this it works............
<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager">
<property name="realm" ref="myRealm"/>
<property name="sessionManager.globalSessionTimeout" value="3600000" />
</bean>
On Sat, Jul 13, 2013 at 9:29 PM, Albert Kam <mo...@gmail.com>wrote:
> Ah, i noticed now that i didnt use the web beans.
> I have changed both the session and security manager to the Web ones.
> Also following your example and the doc, i have configure to use the
> sessionMode = native also.
> And also, to make all these work in the web env, i placed the minimal
> shiro filter
> <bean id="shiroFilter"
> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
> <property name="securityManager" ref="securityManager"/>
> </bean>
> and also put the filter + the filter mapping in the web.xml
>
> The good news is that i can see the log outputs from my sessionDAO upon
> every request,
> and i can also see now the JSESSIONID and cookies are being sent from the
> browser now.
>
> I still have some problems but i think it's more appropriate to be
> discuseed in a new thread.
>
> Thanks so much for the help !
>
>
> On Sat, Jul 13, 2013 at 7:16 PM, Albert Kam <mo...@gmail.com>wrote:
>
>> Here are my configurations, sorry for not including them previously :
>>
>> <bean id="sha256Matcher"
>> class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
>> <property name="hashAlgorithmName" value="SHA-256" />
>> <property name="hashIterations" value="1024" />
>> <property name="storedCredentialsHexEncoded" value="false" />
>> </bean>
>>
>> <bean id="myCustomRealm" class="kam.albert.security.MyCustomRealm">
>> <property name="credentialsMatcher" ref="sha256Matcher" />
>> </bean>
>>
>> <bean id="sessionDAO" class="kam.albert.security.MyCustomShiroSessionDao"
>> />
>> <bean id="sessionManager"
>> class="org.apache.shiro.session.mgt.DefaultSessionManager">
>> <property name="globalSessionTimeout" value="3600000" /> <!-- 1 hour -->
>> <property name="sessionDAO" ref="sessionDAO" />
>> <property name="sessionValidationSchedulerEnabled" value="false" />
>> </bean>
>> <bean id="securityManager"
>> class="org.apache.shiro.mgt.DefaultSecurityManager">
>> <!-- Single realm app. If you have multiple realms, use the
>> 'realms' property instead. -->
>> <property name="realm" ref="myCustomRealm"/>
>> <property name="sessionManager" ref="sessionManager" />
>> </bean>
>> <bean id="lifecycleBeanPostProcessor"
>> class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
>> <bean
>> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
>> <property name="staticMethod"
>> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
>> <property name="arguments" ref="securityManager"/>
>> </bean>
>>
>>
>>
>> On Sat, Jul 13, 2013 at 7:12 PM, Nagaraju Kurma <
>> nagaraju.kurma@enhancesys.com> wrote:
>>
>>> can u send your code?
>>>
>>> or else u can refer this following code, which is perfectly working for
>>> me.
>>>
>>> <bean id="sessionManager"
>>> class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
>>> <property name="globalSessionTimeout" value="1000000"></property> <!--
>>> in milli sec-->
>>> <property name="sessionListeners">
>>> <util:list>
>>> <bean class="net.enh.auth.listener.SessionAwareListener"></bean>
>>> </util:list>
>>> </property>
>>> </bean>
>>>
>>> <bean id="securityManager"
>>> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
>>> <!-- <property name="cacheManager" ref="cacheManager" /> -->
>>> <property name="sessionMode" value="native" />
>>> <property name="realm" ref="postgressRealm" />
>>> <property name="sessionManager" ref="sessionManager"></property>
>>> </bean>
>>>
>>>
>>>
>>> On Sat, Jul 13, 2013 at 5:33 PM, Albert Kam <mo...@gmail.com>wrote:
>>>
>>>> I am currently using shiro + spring for a web application, with these
>>>> setups :
>>>> - my own realm
>>>> - a custom sessionDAO
>>>> - in sessionManager, 1 hour of timeout, false on
>>>> the sessionValidationSchedulerEnabled as i'm making use a custom TTL
>>>> mechanism in the background
>>>> - enable the static methods of SecurityUtils by setting the
>>>> securityManager manually in the spring xml
>>>> - using native sessions instead of web sessions
>>>> - since im using native sessions, i dont deploy shiro filters (is this
>>>> wrong?)
>>>>
>>>> One thing i notice is my session seems to timeout very quickly, only in
>>>> a matter of a few minutes, not per hour as globalSessionTimeout
>>>> configuration in the xml.
>>>> In the app, things are as normal, before login, isAuthenticated is
>>>> false, after login the subject is correct, the principal is fine, the
>>>> session is stored correctly, authentication works when doing login.
>>>>
>>>> So, what i did is trying to find out how shiro manages to 'remember'
>>>> who i am in subsequent requests by printing out cookies + req headers. But
>>>> i found nothing that relates to shiro being enable to remember me.
>>>>
>>>> I am still currenlty testing out with a single user.
>>>>
>>>> Please share your insights on what could be the culprit here.
>>>>
>>>> --
>>>> Do not pursue the past. Do not lose yourself in the future.
>>>> The past no longer is. The future has not yet come.
>>>> Looking deeply at life as it is in the very here and now,
>>>> the practitioner dwells in stability and freedom.
>>>> (Thich Nhat Hanh)
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Regards,****
>>>
>>> Nagaraju.
>>>
>>
>>
>>
>> --
>> Do not pursue the past. Do not lose yourself in the future.
>> The past no longer is. The future has not yet come.
>> Looking deeply at life as it is in the very here and now,
>> the practitioner dwells in stability and freedom.
>> (Thich Nhat Hanh)
>>
>
>
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>
--
Regards,****
Nagaraju.
Re: My globalSessionTimeout doesnt work.
Posted by Albert Kam <mo...@gmail.com>.
Ah, i noticed now that i didnt use the web beans.
I have changed both the session and security manager to the Web ones.
Also following your example and the doc, i have configure to use the
sessionMode = native also.
And also, to make all these work in the web env, i placed the minimal shiro
filter
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
</bean>
and also put the filter + the filter mapping in the web.xml
The good news is that i can see the log outputs from my sessionDAO upon
every request,
and i can also see now the JSESSIONID and cookies are being sent from the
browser now.
I still have some problems but i think it's more appropriate to be
discuseed in a new thread.
Thanks so much for the help !
On Sat, Jul 13, 2013 at 7:16 PM, Albert Kam <mo...@gmail.com>wrote:
> Here are my configurations, sorry for not including them previously :
>
> <bean id="sha256Matcher"
> class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
> <property name="hashAlgorithmName" value="SHA-256" />
> <property name="hashIterations" value="1024" />
> <property name="storedCredentialsHexEncoded" value="false" />
> </bean>
>
> <bean id="myCustomRealm" class="kam.albert.security.MyCustomRealm">
> <property name="credentialsMatcher" ref="sha256Matcher" />
> </bean>
>
> <bean id="sessionDAO" class="kam.albert.security.MyCustomShiroSessionDao"
> />
> <bean id="sessionManager"
> class="org.apache.shiro.session.mgt.DefaultSessionManager">
> <property name="globalSessionTimeout" value="3600000" /> <!-- 1 hour -->
> <property name="sessionDAO" ref="sessionDAO" />
> <property name="sessionValidationSchedulerEnabled" value="false" />
> </bean>
> <bean id="securityManager"
> class="org.apache.shiro.mgt.DefaultSecurityManager">
> <!-- Single realm app. If you have multiple realms, use the 'realms'
> property instead. -->
> <property name="realm" ref="myCustomRealm"/>
> <property name="sessionManager" ref="sessionManager" />
> </bean>
> <bean id="lifecycleBeanPostProcessor"
> class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
> <bean
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="staticMethod"
> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
> <property name="arguments" ref="securityManager"/>
> </bean>
>
>
>
> On Sat, Jul 13, 2013 at 7:12 PM, Nagaraju Kurma <
> nagaraju.kurma@enhancesys.com> wrote:
>
>> can u send your code?
>>
>> or else u can refer this following code, which is perfectly working for
>> me.
>>
>> <bean id="sessionManager"
>> class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
>> <property name="globalSessionTimeout" value="1000000"></property> <!--
>> in milli sec-->
>> <property name="sessionListeners">
>> <util:list>
>> <bean class="net.enh.auth.listener.SessionAwareListener"></bean>
>> </util:list>
>> </property>
>> </bean>
>>
>> <bean id="securityManager"
>> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
>> <!-- <property name="cacheManager" ref="cacheManager" /> -->
>> <property name="sessionMode" value="native" />
>> <property name="realm" ref="postgressRealm" />
>> <property name="sessionManager" ref="sessionManager"></property>
>> </bean>
>>
>>
>>
>> On Sat, Jul 13, 2013 at 5:33 PM, Albert Kam <mo...@gmail.com>wrote:
>>
>>> I am currently using shiro + spring for a web application, with these
>>> setups :
>>> - my own realm
>>> - a custom sessionDAO
>>> - in sessionManager, 1 hour of timeout, false on
>>> the sessionValidationSchedulerEnabled as i'm making use a custom TTL
>>> mechanism in the background
>>> - enable the static methods of SecurityUtils by setting the
>>> securityManager manually in the spring xml
>>> - using native sessions instead of web sessions
>>> - since im using native sessions, i dont deploy shiro filters (is this
>>> wrong?)
>>>
>>> One thing i notice is my session seems to timeout very quickly, only in
>>> a matter of a few minutes, not per hour as globalSessionTimeout
>>> configuration in the xml.
>>> In the app, things are as normal, before login, isAuthenticated is
>>> false, after login the subject is correct, the principal is fine, the
>>> session is stored correctly, authentication works when doing login.
>>>
>>> So, what i did is trying to find out how shiro manages to 'remember' who
>>> i am in subsequent requests by printing out cookies + req headers. But i
>>> found nothing that relates to shiro being enable to remember me.
>>>
>>> I am still currenlty testing out with a single user.
>>>
>>> Please share your insights on what could be the culprit here.
>>>
>>> --
>>> Do not pursue the past. Do not lose yourself in the future.
>>> The past no longer is. The future has not yet come.
>>> Looking deeply at life as it is in the very here and now,
>>> the practitioner dwells in stability and freedom.
>>> (Thich Nhat Hanh)
>>>
>>
>>
>>
>> --
>>
>> Regards,****
>>
>> Nagaraju.
>>
>
>
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: My globalSessionTimeout doesnt work.
Posted by Albert Kam <mo...@gmail.com>.
Here are my configurations, sorry for not including them previously :
<bean id="sha256Matcher"
class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA-256" />
<property name="hashIterations" value="1024" />
<property name="storedCredentialsHexEncoded" value="false" />
</bean>
<bean id="myCustomRealm" class="kam.albert.security.MyCustomRealm">
<property name="credentialsMatcher" ref="sha256Matcher" />
</bean>
<bean id="sessionDAO" class="kam.albert.security.MyCustomShiroSessionDao" />
<bean id="sessionManager"
class="org.apache.shiro.session.mgt.DefaultSessionManager">
<property name="globalSessionTimeout" value="3600000" /> <!-- 1 hour -->
<property name="sessionDAO" ref="sessionDAO" />
<property name="sessionValidationSchedulerEnabled" value="false" />
</bean>
<bean id="securityManager"
class="org.apache.shiro.mgt.DefaultSecurityManager">
<!-- Single realm app. If you have multiple realms, use the 'realms'
property instead. -->
<property name="realm" ref="myCustomRealm"/>
<property name="sessionManager" ref="sessionManager" />
</bean>
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
On Sat, Jul 13, 2013 at 7:12 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:
> can u send your code?
>
> or else u can refer this following code, which is perfectly working for me.
>
> <bean id="sessionManager"
> class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
> <property name="globalSessionTimeout" value="1000000"></property> <!-- in
> milli sec-->
> <property name="sessionListeners">
> <util:list>
> <bean class="net.enh.auth.listener.SessionAwareListener"></bean>
> </util:list>
> </property>
> </bean>
>
> <bean id="securityManager"
> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
> <!-- <property name="cacheManager" ref="cacheManager" /> -->
> <property name="sessionMode" value="native" />
> <property name="realm" ref="postgressRealm" />
> <property name="sessionManager" ref="sessionManager"></property>
> </bean>
>
>
>
> On Sat, Jul 13, 2013 at 5:33 PM, Albert Kam <mo...@gmail.com>wrote:
>
>> I am currently using shiro + spring for a web application, with these
>> setups :
>> - my own realm
>> - a custom sessionDAO
>> - in sessionManager, 1 hour of timeout, false on
>> the sessionValidationSchedulerEnabled as i'm making use a custom TTL
>> mechanism in the background
>> - enable the static methods of SecurityUtils by setting the
>> securityManager manually in the spring xml
>> - using native sessions instead of web sessions
>> - since im using native sessions, i dont deploy shiro filters (is this
>> wrong?)
>>
>> One thing i notice is my session seems to timeout very quickly, only in a
>> matter of a few minutes, not per hour as globalSessionTimeout configuration
>> in the xml.
>> In the app, things are as normal, before login, isAuthenticated is false,
>> after login the subject is correct, the principal is fine, the session is
>> stored correctly, authentication works when doing login.
>>
>> So, what i did is trying to find out how shiro manages to 'remember' who
>> i am in subsequent requests by printing out cookies + req headers. But i
>> found nothing that relates to shiro being enable to remember me.
>>
>> I am still currenlty testing out with a single user.
>>
>> Please share your insights on what could be the culprit here.
>>
>> --
>> Do not pursue the past. Do not lose yourself in the future.
>> The past no longer is. The future has not yet come.
>> Looking deeply at life as it is in the very here and now,
>> the practitioner dwells in stability and freedom.
>> (Thich Nhat Hanh)
>>
>
>
>
> --
>
> Regards,****
>
> Nagaraju.
>
--
Do not pursue the past. Do not lose yourself in the future.
The past no longer is. The future has not yet come.
Looking deeply at life as it is in the very here and now,
the practitioner dwells in stability and freedom.
(Thich Nhat Hanh)
Re: My globalSessionTimeout doesnt work.
Posted by Nagaraju Kurma <na...@enhancesys.com>.
can u send your code?
or else u can refer this following code, which is perfectly working for me.
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1000000"></property> <!-- in
milli sec-->
<property name="sessionListeners">
<util:list>
<bean class="net.enh.auth.listener.SessionAwareListener"></bean>
</util:list>
</property>
</bean>
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- <property name="cacheManager" ref="cacheManager" /> -->
<property name="sessionMode" value="native" />
<property name="realm" ref="postgressRealm" />
<property name="sessionManager" ref="sessionManager"></property>
</bean>
On Sat, Jul 13, 2013 at 5:33 PM, Albert Kam <mo...@gmail.com>wrote:
> I am currently using shiro + spring for a web application, with these
> setups :
> - my own realm
> - a custom sessionDAO
> - in sessionManager, 1 hour of timeout, false on
> the sessionValidationSchedulerEnabled as i'm making use a custom TTL
> mechanism in the background
> - enable the static methods of SecurityUtils by setting the
> securityManager manually in the spring xml
> - using native sessions instead of web sessions
> - since im using native sessions, i dont deploy shiro filters (is this
> wrong?)
>
> One thing i notice is my session seems to timeout very quickly, only in a
> matter of a few minutes, not per hour as globalSessionTimeout configuration
> in the xml.
> In the app, things are as normal, before login, isAuthenticated is false,
> after login the subject is correct, the principal is fine, the session is
> stored correctly, authentication works when doing login.
>
> So, what i did is trying to find out how shiro manages to 'remember' who i
> am in subsequent requests by printing out cookies + req headers. But i
> found nothing that relates to shiro being enable to remember me.
>
> I am still currenlty testing out with a single user.
>
> Please share your insights on what could be the culprit here.
>
> --
> Do not pursue the past. Do not lose yourself in the future.
> The past no longer is. The future has not yet come.
> Looking deeply at life as it is in the very here and now,
> the practitioner dwells in stability and freedom.
> (Thich Nhat Hanh)
>
--
Regards,****
Nagaraju.