You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Denis Burlaka (JIRA)" <ji...@apache.org> on 2015/03/10 14:16:38 UTC

[jira] [Commented] (SHIRO-512) Race condition in Shiro's web container session timeout handling

    [ https://issues.apache.org/jira/browse/SHIRO-512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14354859#comment-14354859 ] 

Denis Burlaka commented on SHIRO-512:
-------------------------------------

I also have similar issue:
org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: getAttribute: Session already invalidated
        at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148) ~[HttpServletSession.class:1.2.3]
        at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.3]
        at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.3]
        at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) ~[DelegatingSubject.class:1.2.3]
        at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) ~[DelegatingSubject.class:1.2.3]
        at org.apache.shiro.subject.support.DelegatingSubject.hasPrincipals(DelegatingSubject.java:126) ~[DelegatingSubject.class:1.2.3]
        at org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:158) ~[DelegatingSubject.class:1.2.3]


> Race condition in Shiro's web container session timeout handling
> ----------------------------------------------------------------
>
>                 Key: SHIRO-512
>                 URL: https://issues.apache.org/jira/browse/SHIRO-512
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in)
>    Affects Versions: 1.2.2, 1.2.3
>            Reporter: Lenny Primak
>            Priority: Minor
>
> I cannot find anywhere that Shiro uses HttpSessionListener to trap sessionDestroyed event from the container. 
> I believe this is leading to a rare race condition in my application, as Shiro thinks the session is still active, 
> but in reality, the web session has been destroyed. 
> Code:  SecurityUtils.getSubject().getPrincipal(); 
> Relevant bit of stack trace: 
> Caused by: org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: PWC2778: getAttribute: Session already invalidated 
>         at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148) 
>         at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) 
>         at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) 
>         at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) 
>         at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149) 
> Link to the mailing list thread: 
> http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)