You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by scSynergy <ro...@scsynergy.de> on 2015/08/06 14:38:00 UTC

Destroy SessionScoped CDI beans during Shiro logout

I have the problem that session scoped beans are not destroyed before the
session times out (30 minutes).

Therefore I have two questions regarding the following logout procedure:

   1. Is this the right way to use shiro logout (see logout() below)
   2. What would be the proper way to destroy the CDI session scoped beans
during logout.

---------------------------------------------------------------------------------------------------------------------------------------------

JSF page.xhtml
<p:commandLink ajax="false" actionListener="#{myOtherBean.logout}" />

---------------------------------------------------------------------------------------------------------------------------------------------

CDI session bean:
@Named
@SessionScoped
public class mySessionBean implements Serializable {

 @PreDestroy
    public void destroy() {
        System.err.println("this only gets called when session times out
after 30 minutes");
    }
}

@Named
@SessionScoped
public class myOtherBean extends Observable implements Serializable {
    @Inject
    private Subject subject;

    public void logout(){

      subject.logout();
     
FacesContext.getCurrentInstance().getExternalContext().redirect(servlet.getContextPath()
+ "/login");
    }
}

---------------------------------------------------------------------------------------------------------------------------------------------

shiro.ini:
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
ssoCacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
ehCacheFactory = de.scsynergy.elementary.qi.shiro.EhCacheFactory
ssoCacheManager.cacheManager = $ehCacheFactory
securityManager.cacheManager = $ssoCacheManager

cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie
cookie.path = /
cookie.secure = true
cookie.httpOnly = true
securityManager.sessionManager.sessionIdCookie = $cookie
# set remember me path so all wars in container can see it
securityManager.rememberMeManager.cookie.path = / 

credentialsMatcher =
org.apache.shiro.authc.credential.Sha512CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 500000
mongoRealm.credentialsMatcher = $credentialsMatcher
firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy
securityManager.realms = $mongoRealm
securityManager.rememberMeManager.cipherKey =
0x3a499d0eb36d896cc4a3c3a5e59c805f

authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
logout=org.apache.shiro.web.filter.authc.LogoutFilter
authc.loginUrl = /login.xhtml
authc.successUrl = /welcome.xhtml
logout.redirectUrl = /login.xhtml
# roles.unauthorizedUrl = /template.xhtml
# the following filter is not needed when SPNEGO filter is used since it
includes the functionality
user = de.scsynergy.elementary.qi.FacesAjaxAwareUserFilter
user.loginUrl = /login.xhtml

[users]
superuser = , admin

[roles]
admin = *

[urls]
/login.xhtml = ssl[8443], user, authc
/logout = logout
# the next line is needed to retrieve jsf resources from jar library
/javax.faces.resource/** = ssl[8443], anon
/webdav/** = noSessionCreation, ssl[8443], authcBasic
/** = ssl[8443], user, authc






--
View this message in context: http://shiro-user.582556.n2.nabble.com/Destroy-SessionScoped-CDI-beans-during-Shiro-logout-tp7580656.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Destroy SessionScoped CDI beans during Shiro logout

Posted by scSynergy <ro...@scsynergy.de>.

FacesContext.getCurrentInstance().getExternalContext().invalidateSession(); 
throws an UnkownSessionException because subject.logout() has already
invalidated the Shiro session "SSOcookie". The ExternalContext does not have
access to the "JSESSIONID" session.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Destroy-SessionScoped-CDI-beans-during-Shiro-logout-tp7580656p7580664.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Destroy SessionScoped CDI beans during Shiro logout

Posted by Kirys <ki...@neoteroi.org>.

On 08/10/2015 03:30 PM, scSynergy wrote:
> Update
>
> It seems as though the problem arises from using
> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> in combination with

I don't know shiro well enough but you are using faces so this before 
the redirect may help:

FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

Cya
K.

Re: Destroy SessionScoped CDI beans during Shiro logout

Posted by scSynergy <ro...@scsynergy.de>.

Update

It seems as though the problem arises from using
org.apache.shiro.web.session.mgt.DefaultWebSessionManager
in combination with
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie

The result is 2 different sessions with 2 different session cookies and 2
redundant sets of backing beans - one session named JSESSIONID generated by
the application server and the other named SSOcookie generated by Shiro. 
Then, when subject.logout() is called, only the Shiro session bound to
SSOcookie is invalidated but the other one survives including any
@SessionScoped beans associated with this surviving session.

We have tried long and hard but have failed to grab hold of that surviving
session in order to invalidate it programmatically, because we cannot
correlate any beans of the JSESSIONID with those of SSOcookie to identify
which sessions belong together. 



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Destroy-SessionScoped-CDI-beans-during-Shiro-logout-tp7580656p7580660.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Destroy SessionScoped CDI beans during Shiro logout

Posted by scSynergy <ro...@scsynergy.de>.

We found a solution to our problem:
We implemented an HttpSessionListener whose sessionCreated(HttpSessionEvent
se) method fires when the JSESSIONID session is created and we additionally
call subject.getSession() to retrieve the Shiro session 'SSOcookie'. Then we
save both to an @ApplicationScoped map and on logout we lookup the Shiro
session in the @ApplicationScoped map and invalidate the JSESSIONID
previously saved along with it.

@WebListener
public class MyClass implements HttpSessionListener {
...
  public void sessionCreated(HttpSessionEvent se) {
    HTTPSession jsession = se.getSession();
    HTTPSession shiro = subject.getSession();
    // save both sessions someplace so we can invalidate them on logout
    ....
}
...
}



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Destroy-SessionScoped-CDI-beans-during-Shiro-logout-tp7580656p7580665.html
Sent from the Shiro User mailing list archive at Nabble.com.