You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Brian Demers (Commented) (JIRA)" <ji...@apache.org> on 2011/11/11 21:14:51 UTC
[jira] [Commented] (SHIRO-329) Standalone session timeout issue
[ https://issues.apache.org/jira/browse/SHIRO-329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13148711#comment-13148711 ]
Brian Demers commented on SHIRO-329:
------------------------------------
I have seen very similar stacktraces, until recently I have just assumed it due to improper session handling ( session storage cache to small, etc ). We have since disabled sessions for most requests, and are still seeing UnknownSessionExceptions. Are there other cases that can be thought of were the DelegatingSession _source_ Session no longer exists?
In the problem listed above, we could handle ExpiredSessionExcpeitons in DelegatingSubject.clearRunAsIdentities()
Matt, are you only seeing this problem with expired sessions?
> Standalone session timeout issue
> --------------------------------
>
> Key: SHIRO-329
> URL: https://issues.apache.org/jira/browse/SHIRO-329
> Project: Shiro
> Issue Type: Bug
> Components: Session Management
> Affects Versions: 1.1.0
> Environment: Windows XP 32 bit, Java 1.6.0
> Reporter: Matt Shaw
>
> Hi,
> I have some questions regarding sessions and the API behaviour.
> If I execute the following code:
> Factory<org.apache.shiro.mgt.SecurityManager> factory =
> new IniSecurityManagerFactory("vkb.ini");
> org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
> SecurityUtils.setSecurityManager(securityManager);
>
> Subject user = SecurityUtils.getSubject();
>
> UsernamePasswordToken token = new UsernamePasswordToken("user", "battle1");
>
> user.login(token);
>
> Session session = user.getSession();
> session.setTimeout(0);
>
> user.logout();
> The logout method causes the following exception to occur:
> Exception in thread "main" org.apache.shiro.session.ExpiredSessionException: Session with id [7c3d80f2-ae4c-49b5-9a2d-a2c0f39cd904] has expired. Last access time: 28/09/11 09:35. Current time: 28/09/11 09:35. Session timeout is set to 0 seconds (0 minutes)
> at org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
> at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
> at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
> at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
> at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
> at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
> at org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
> at org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
> at org.apache.shiro.subject.support.DelegatingSubject.logout(DelegatingSubject.java:322)
> at com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:45)
> The only reason I'm calling setTimeout(0) is to simulate the session expiring due to a timeout that occurs in the system. Why would the logout fail just because the session has expired? How can I get around this issue?
> If I execute the following code:
> Factory<org.apache.shiro.mgt.SecurityManager> factory =
> new IniSecurityManagerFactory("vkb.ini");
> org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
> SecurityUtils.setSecurityManager(securityManager);
>
> Subject user = SecurityUtils.getSubject();
>
> UsernamePasswordToken token = new UsernamePasswordToken("user", "battle1");
>
> user.login(token);
> user.login(token);
> user.login(token);
> user.login(token);
> user.login(token);
>
> Session session = user.getSession();
> session.setTimeout(0);
>
> user.login(token);
> The last login command throws an exception with the following stack trace:
> Exception in thread "main" org.apache.shiro.session.ExpiredSessionException: Session with id [96aa8e29-4a55-4c79-be48-8ed90f49da85] has expired. Last access time: 28/09/11 09:41. Current time: 28/09/11 09:41. Session timeout is set to 0 seconds (0 minutes)
> at org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
> at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
> at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
> at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
> at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
> at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
> at org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
> at org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
> at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
> at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
> at com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:49)
> Is this the same problem. Why can't I login after the a session has expired? How can I login after a session has expired?
> It is probably me misunderstanding the API but any help would be greatly appreciated.
> Best regards
> Matt
> Classic List star Reply More Close
> Sep 28, 2011; 6:20pm Les Hazlewood-2 Les Hazlewood-2
> Hi Matt,
> I'd consider this a bug - please open a Jira issue.
> This probably hasn't been seen before because, for example in a web or
> other 'server' style app, Shiro will validate a session on an inbound
> request before allowing it to continue - this behavior wouldn't be
> seen further down the call stack.
> In a standalone environment, such as a test case or daemon program,
> this would cause a problem if the timeout is very low. Could you
> please open an issue?
> Thanks,
> --
> Les Hazlewood
> CTO, Katasoft | http://www.katasoft.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> katasoft blog: http://www.katasoft.com/blogs/lhazlewood
> personal blog: http://leshazlewood.com
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira