You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by Emmanuel Lécharny <el...@gmail.com> on 2013/06/24 17:33:47 UTC

Pb with the generated JSessionID

Hi guys,

a fellow Apache committer (Henry Gomez) told me that he has some issues
with Shiro used in Nexus : Shiro rewrite the undrlying Tomcat
JSessionID, losing the informations it contains.

Cf https://issues.sonatype.org/browse/NEXUS-5756

It sounds a bit strange.

Do you have any idea about what can be the pb ?

Many thanks !

-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Pb with the generated JSessionID

Posted by Les Hazlewood <lh...@apache.org>.

Hi Emmanuel!

Good to hear from you.

This depends on how Nexus is using Shiro - if Nexus uses Shiro as the
native session manager (e.g. for session clustering and
customization), this completely bypasses the servlet container's
session mechanisms on purpose.  Shiro implements the Servlet 2.5
specification (for Sessions), so there is no need to talk to the
servlet container for Sessions.

If Nexus uses Shiro's native sessions, and someone tries to modify the
servlet container's session-related configuration, then of course
Shiro has no knowledge of this - it would be a Tomcat-specific
feature.  This means that Tomcat (or anything else in front of Shiro,
like a load balancer) should 1) remove any modifications from the
JSESSIONID before the application (and thus Shiro) reads it and 2) add
to the JSESSIONID cookie value after Shiro is done writing it.

This is a common technique performed by load balancers - the key is
that the application should not see the effects of these changes in
the header - they should be stripped before the app receives the
request and added after the application responds.

So it sounds like Henry is using a Tomcat-specific feature that
assumes Tomcat is performing Session management.

Isn't there a way to use a different custom header instead of
interfering with the JSESSIONID?

If not, maybe a Shiro Filter can be used to support the desired
behavior? (not sure entirely about this - it's just a hunch).

HTH!

Best,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282

On Mon, Jun 24, 2013 at 8:33 AM, Emmanuel Lécharny <el...@gmail.com> wrote:
> Hi guys,
>
> a fellow Apache committer (Henry Gomez) told me that he has some issues
> with Shiro used in Nexus : Shiro rewrite the undrlying Tomcat
> JSessionID, losing the informations it contains.
>
> Cf https://issues.sonatype.org/browse/NEXUS-5756
>
> It sounds a bit strange.
>
> Do you have any idea about what can be the pb ?
>
> Many thanks !
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>