You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "rasel.ahmed" <ra...@keynote-sigos.com> on 2015/02/17 12:31:51 UTC
Shiro lost subject principal value
Hi, I have a problem with Shiro principal value.
I am using shiro-1.2.3. I have multiple Shiro relams.
I setup my global session timeout for testing :
sessionManager.globalSessionTimeout = 65000
Now I login in my project from two browser, firefox and chrome.
I close firefox browser BUT keep continue action on in chrome browser. After
65 seconds firefox one get SESSION EXPIRED. The after more 65 seconds later
I lost principal value though I am still working on chrome
SecurityUtils.getSubject().getPrincipal() == null.
In my debug I can see my session is there...keep notify the session value
..... but it already lost
all principal value during SESSION expired.
Can anybody please explain me , how I can solve the issue?
Rasel
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro lost subject principal value
Posted by "rasel.ahmed" <ra...@keynote-sigos.com>.
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 1800000
Using this configuration, you can override the session validator method
calling.
Yes you dont have too much control over.
If your principal value became NULL, during this session validation it will
be error, the system will lose the session.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449p7580475.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro lost subject principal value
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
How is the schedule method called?
If it's called from another thread, you won't have access to any Shiro facilities
because Shiro keeps it's state in a thread-local manner.
To get that state, the flow has to go through the Shiro filter and associate the session / principal
with the current thread context.
On Feb 27, 2015, at 4:18 AM, rasel.ahmed wrote:
> Session is there, I have session scope class with scheduler method where I
> can see some log is printed.
> In debug mode, i have checked, principal value became NULL:
>
> Anyway, I have got an solution for the problem :
> public class ActiveSessionsListener implements SessionListener {
>
> @Override
> public void onStart(Session session) {
>
> }
>
> @Override
> public void onStop(Session session) {
>
> }
>
> @Override
> public void onExpiration(Session session) {
> session.stop();
> }
> }
>
> I dont know where is the root cause for generating this problem, but the
> problem stared from SESSION EXPIRE only.
> Upon the code, during onexpire, I call session stop() method. It resolves my
> problem.
> Didn't get real cause why it happens. I am quite confuse, is this any
> problem of SHIRO or not.
>
> Even you remove custom filter, it will not resolve the problem. Because
> Shiro has an authetication checker scheduler. At that it, if the principal
> value is not there, still it will be logged out from the system.
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449p7580469.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro lost subject principal value
Posted by "rasel.ahmed" <ra...@keynote-sigos.com>.
Session is there, I have session scope class with scheduler method where I
can see some log is printed.
In debug mode, i have checked, principal value became NULL:
Anyway, I have got an solution for the problem :
public class ActiveSessionsListener implements SessionListener {
@Override
public void onStart(Session session) {
}
@Override
public void onStop(Session session) {
}
@Override
public void onExpiration(Session session) {
session.stop();
}
}
I dont know where is the root cause for generating this problem, but the
problem stared from SESSION EXPIRE only.
Upon the code, during onexpire, I call session stop() method. It resolves my
problem.
Didn't get real cause why it happens. I am quite confuse, is this any
problem of SHIRO or not.
Even you remove custom filter, it will not resolve the problem. Because
Shiro has an authetication checker scheduler. At that it, if the principal
value is not there, still it will be logged out from the system.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449p7580469.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro lost subject principal value
Posted by Brian Demers <br...@gmail.com>.
What do you mean by the session is there? But the principal isn't? Is the session looked up from a cookie? Does this work without your custom filter?
-Brian
> On Feb 25, 2015, at 3:27 AM, rasel.ahmed <ra...@keynote-sigos.com> wrote:
>
> Hi Brian,
> Thanks for your reply. I am sorry for late reply, because I was in vacation.
> Below happens .
>
> 1.) Log user 'A' into Firefox
> 2.) Log user 'A' into Chrome
> 3.) Let Firefox sit idle for 65 seconds (session expires)
> 4.) Chrome is not idle, I am continuous working on it.
> 5.) Perform some server side action / I just refresh client side. Offcourse
> client page call server REST webservice.
> 6.) Though I am continuously working on Chrome, it lost principal value.
> 7.) NOTE : Session is there. only principals() became null.
> 8.) When principal became NULL, I am forced to back to login page. Then I
> cant make any action on UI page except the lgoin. Simply As expected, then
> 65 seconds later the Chrome session out.
>
> Reason : When I lost my principal value, It push me back to login page.
> Becasue I have custom filter class and I override the method like :
> My all .XHTML page are get filterred by this method.
> public class TestAuthenticationFilter extends AuthenticatingFilter {
> ......................
> ............
> protected boolean isAccessAllowed(ServletRequest request, ServletResponse
> response, Object mappedValue) {
> if (isLoginRequest(request, response)) {
> return true;
> } else {
> return SecurityUtils.getSubject().getPrincipals() != null
> && super.isAccessAllowed(request, response, mappedValue);
> }
> }
> ......................
> }
> public class SingleSignOnSessionId implements Serializable {
> ..................
> .....................
> }
>
> public class TestAuthorizingRealm extends AuthorizingRealm {
> ...............
> .................................
> protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
> token) {
> userTO = GetUserDataFromserver(). Using REST webservice calling.
> Collection<Serializable> principals = Arrays.asList(userTO, new
> SingleSignOnSessionId(userTO.getSessionId()));
> PrincipalCollection principalCollection = new
> SimplePrincipalCollection(principals, getName());
> return new SimpleAuthenticationInfo(principalCollection,
> token.getCredentials());
> }
>
> }
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449p7580465.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro lost subject principal value
Posted by "rasel.ahmed" <ra...@keynote-sigos.com>.
Hi Brian,
Thanks for your reply. I am sorry for late reply, because I was in vacation.
Below happens .
1.) Log user 'A' into Firefox
2.) Log user 'A' into Chrome
3.) Let Firefox sit idle for 65 seconds (session expires)
4.) Chrome is not idle, I am continuous working on it.
5.) Perform some server side action / I just refresh client side. Offcourse
client page call server REST webservice.
6.) Though I am continuously working on Chrome, it lost principal value.
7.) NOTE : Session is there. only principals() became null.
8.) When principal became NULL, I am forced to back to login page. Then I
cant make any action on UI page except the lgoin. Simply As expected, then
65 seconds later the Chrome session out.
Reason : When I lost my principal value, It push me back to login page.
Becasue I have custom filter class and I override the method like :
My all .XHTML page are get filterred by this method.
public class TestAuthenticationFilter extends AuthenticatingFilter {
......................
............
protected boolean isAccessAllowed(ServletRequest request, ServletResponse
response, Object mappedValue) {
if (isLoginRequest(request, response)) {
return true;
} else {
return SecurityUtils.getSubject().getPrincipals() != null
&& super.isAccessAllowed(request, response, mappedValue);
}
}
......................
}
public class SingleSignOnSessionId implements Serializable {
..................
.....................
}
public class TestAuthorizingRealm extends AuthorizingRealm {
...............
.................................
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) {
userTO = GetUserDataFromserver(). Using REST webservice calling.
Collection<Serializable> principals = Arrays.asList(userTO, new
SingleSignOnSessionId(userTO.getSessionId()));
PrincipalCollection principalCollection = new
SimplePrincipalCollection(principals, getName());
return new SimpleAuthenticationInfo(principalCollection,
token.getCredentials());
}
}
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449p7580465.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro lost subject principal value
Posted by Brian Demers <br...@gmail.com>.
I'm not sure I fully understand, does this accurately describe what you are
seeing ?
1.) Log user 'A' into Firefox
2.) Log user 'A' into Chrome
3.) Let Firefox sit idle for 65 seconds (session expires)
4.) Let Chrome sit idle for 35 seconds
5.) Perform some server side action
6.) Let Chrome sit idel for 30 seconds
Session incorrectly times out?
On Tue, Feb 17, 2015 at 6:31 AM, rasel.ahmed <ra...@keynote-sigos.com>
wrote:
> Hi, I have a problem with Shiro principal value.
> I am using shiro-1.2.3. I have multiple Shiro relams.
> I setup my global session timeout for testing :
> sessionManager.globalSessionTimeout = 65000
>
> Now I login in my project from two browser, firefox and chrome.
>
> I close firefox browser BUT keep continue action on in chrome browser.
> After
> 65 seconds firefox one get SESSION EXPIRED. The after more 65 seconds later
> I lost principal value though I am still working on chrome
> SecurityUtils.getSubject().getPrincipal() == null.
>
> In my debug I can see my session is there...keep notify the session value
> ..... but it already lost
> all principal value during SESSION expired.
>
> Can anybody please explain me , how I can solve the issue?
>
> Rasel
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-lost-subject-principal-value-tp7580449.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>