You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Les Hazlewood <lh...@apache.org> on 2012/05/02 15:56:36 UTC
Re: Starting shiro 1.2 securityManager.sessionManager.globalSessionTimeout
= 1800000 no longer configurable
On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <da...@gmail.com> wrote:
>
> due to this config
>
> <bean id="securityManager"
> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
> [....]
> <property name="sessionManager.globalSessionTimeout" value="1800000" />
> [....]
> </bean>
The above config is only valid if you've configured Shiro to use a
'native' session manager. By default, the DefaultWebSecurityManager
uses a Servlet Container-based session manager, which delegates all
session management behavior to the Servlet Container.
> So I ended up to add this into my web.xml
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
> I dont think this is working either ( i change the value to 1 and
> session is not timing out after 1 minute )
This appears to be correct. I can't speak as to why your servlet
container wouldn't be honoring a 1-minute timeout, but this would be
out of Shiro's control since you're using Servlet Container-based
session management.
HTH,
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog
Re: Starting shiro 1.2 securityManager.sessionManager.globalSessionTimeout
= 1800000 no longer configurable
Posted by Dan Tran <da...@gmail.com>.
Thanks for clarification, so it is likely from my tomcat/mywebapp
side. Let's trouble shoot this issue from my side.
Thanks again
-D
On Tue, May 8, 2012 at 11:54 AM, Les Hazlewood <lh...@apache.org> wrote:
> P.S. I tried this in Shiro's sample web app:
>
> https://svn.apache.org/repos/asf/shiro/trunk/samples/web/
>
> (mvn jetty:run)
>
> I added <session-config> (2 minutes) to web.xml and it timed out properly.
>
> Flow:
> 1. Log in successfully
> 2. See the home page
> 3. Wait a few minutes
> 4. Click on the 'account page' link.
>
> Shiro redirected me to the login page because my previous 2-minute session
> had timed-out.
>
> This is using Jetty of course, but it should work identically in Tomcat or
> any other servlet container for that matter.
>
> HTH,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog
>
>
> On Tue, May 8, 2012 at 11:29 AM, Les Hazlewood <lh...@apache.org>
> wrote:
>>
>> The default ServletContainerSessionManager implementation relies on
>> whatever config there is in web.xml.
>>
>> SHIRO-240 was closed because ServletContainerSessionManager no longer has
>> the notion of a globalSessionTimeout property - it doesn't even exist in its
>> class hierarchy because it can't honor it. After removing that property
>> from its class hierarchy, it became 100% dependent upon the servlet
>> container's behavior.
>>
>> I'd be curious if you find anything when enabling logging in your servlet
>> container to see what is going on. Which one are you using?
>>
>> Regards,
>>
>> Les
>>
>>
>> On Mon, May 7, 2012 at 10:53 PM, Dan Tran <da...@gmail.com> wrote:
>>>
>>> Hi Les,
>>>
>>> Not sure if my issue related to this
>>> https://issues.apache.org/jira/browse/SHIRO-240?
>>>
>>> Perhaps, i should reopen SHIRO-240?
>>>
>>> -Dan
>>>
>>> On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <lh...@apache.org>
>>> wrote:
>>> > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <da...@gmail.com> wrote:
>>> >>
>>> >> due to this config
>>> >>
>>> >> <bean id="securityManager"
>>> >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
>>> >> [....]
>>> >> <property name="sessionManager.globalSessionTimeout"
>>> >> value="1800000" />
>>> >> [....]
>>> >> </bean>
>>> >
>>> > The above config is only valid if you've configured Shiro to use a
>>> > 'native' session manager. By default, the DefaultWebSecurityManager
>>> > uses a Servlet Container-based session manager, which delegates all
>>> > session management behavior to the Servlet Container.
>>> >
>>> >> So I ended up to add this into my web.xml
>>> >>
>>> >> <session-config>
>>> >> <session-timeout>30</session-timeout>
>>> >> </session-config>
>>> >>
>>> >> I dont think this is working either ( i change the value to 1 and
>>> >> session is not timing out after 1 minute )
>>> >
>>> > This appears to be correct. I can't speak as to why your servlet
>>> > container wouldn't be honoring a 1-minute timeout, but this would be
>>> > out of Shiro's control since you're using Servlet Container-based
>>> > session management.
>>> >
>>> > HTH,
>>> >
>>> > --
>>> > Les Hazlewood
>>> > CTO, Stormpath | http://stormpath.com | 888.391.5282
>>> > twitter: @lhazlewood | http://twitter.com/lhazlewood
>>> > blog: http://leshazlewood.com
>>> > stormpath blog: http://www.stormpath.com/blog
>>
>>
>
Re: Starting shiro 1.2 securityManager.sessionManager.globalSessionTimeout
= 1800000 no longer configurable
Posted by Les Hazlewood <lh...@apache.org>.
P.S. I tried this in Shiro's sample web app:
https://svn.apache.org/repos/asf/shiro/trunk/samples/web/
(mvn jetty:run)
I added <session-config> (2 minutes) to web.xml and it timed out properly.
Flow:
1. Log in successfully
2. See the home page
3. Wait a few minutes
4. Click on the 'account page' link.
Shiro redirected me to the login page because my previous 2-minute session
had timed-out.
This is using Jetty of course, but it should work identically in Tomcat or
any other servlet container for that matter.
HTH,
--
Les Hazlewood
CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> |
888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog:
http://www.stormpath.com/blog<http://www.stormpath.com/blog/index>
On Tue, May 8, 2012 at 11:29 AM, Les Hazlewood <lh...@apache.org>wrote:
> The default ServletContainerSessionManager implementation relies on
> whatever config there is in web.xml.
>
> SHIRO-240 was closed because ServletContainerSessionManager no longer has
> the notion of a globalSessionTimeout property - it doesn't even exist in
> its class hierarchy because it can't honor it. After removing that
> property from its class hierarchy, it became 100% dependent upon the
> servlet container's behavior.
>
> I'd be curious if you find anything when enabling logging in your servlet
> container to see what is going on. Which one are you using?
>
> Regards,
>
> Les
>
>
> On Mon, May 7, 2012 at 10:53 PM, Dan Tran <da...@gmail.com> wrote:
>
>> Hi Les,
>>
>> Not sure if my issue related to this
>> https://issues.apache.org/jira/browse/SHIRO-240?
>>
>> Perhaps, i should reopen SHIRO-240?
>>
>> -Dan
>>
>> On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <lh...@apache.org>
>> wrote:
>> > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <da...@gmail.com> wrote:
>> >>
>> >> due to this config
>> >>
>> >> <bean id="securityManager"
>> >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
>> >> [....]
>> >> <property name="sessionManager.globalSessionTimeout"
>> value="1800000" />
>> >> [....]
>> >> </bean>
>> >
>> > The above config is only valid if you've configured Shiro to use a
>> > 'native' session manager. By default, the DefaultWebSecurityManager
>> > uses a Servlet Container-based session manager, which delegates all
>> > session management behavior to the Servlet Container.
>> >
>> >> So I ended up to add this into my web.xml
>> >>
>> >> <session-config>
>> >> <session-timeout>30</session-timeout>
>> >> </session-config>
>> >>
>> >> I dont think this is working either ( i change the value to 1 and
>> >> session is not timing out after 1 minute )
>> >
>> > This appears to be correct. I can't speak as to why your servlet
>> > container wouldn't be honoring a 1-minute timeout, but this would be
>> > out of Shiro's control since you're using Servlet Container-based
>> > session management.
>> >
>> > HTH,
>> >
>> > --
>> > Les Hazlewood
>> > CTO, Stormpath | http://stormpath.com | 888.391.5282
>> > twitter: @lhazlewood | http://twitter.com/lhazlewood
>> > blog: http://leshazlewood.com
>> > stormpath blog: http://www.stormpath.com/blog
>>
>
>
Re: Starting shiro 1.2 securityManager.sessionManager.globalSessionTimeout
= 1800000 no longer configurable
Posted by Les Hazlewood <lh...@apache.org>.
The default ServletContainerSessionManager implementation relies on
whatever config there is in web.xml.
SHIRO-240 was closed because ServletContainerSessionManager no longer has
the notion of a globalSessionTimeout property - it doesn't even exist in
its class hierarchy because it can't honor it. After removing that
property from its class hierarchy, it became 100% dependent upon the
servlet container's behavior.
I'd be curious if you find anything when enabling logging in your servlet
container to see what is going on. Which one are you using?
Regards,
Les
On Mon, May 7, 2012 at 10:53 PM, Dan Tran <da...@gmail.com> wrote:
> Hi Les,
>
> Not sure if my issue related to this
> https://issues.apache.org/jira/browse/SHIRO-240?
>
> Perhaps, i should reopen SHIRO-240?
>
> -Dan
>
> On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <lh...@apache.org>
> wrote:
> > On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <da...@gmail.com> wrote:
> >>
> >> due to this config
> >>
> >> <bean id="securityManager"
> >> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
> >> [....]
> >> <property name="sessionManager.globalSessionTimeout" value="1800000"
> />
> >> [....]
> >> </bean>
> >
> > The above config is only valid if you've configured Shiro to use a
> > 'native' session manager. By default, the DefaultWebSecurityManager
> > uses a Servlet Container-based session manager, which delegates all
> > session management behavior to the Servlet Container.
> >
> >> So I ended up to add this into my web.xml
> >>
> >> <session-config>
> >> <session-timeout>30</session-timeout>
> >> </session-config>
> >>
> >> I dont think this is working either ( i change the value to 1 and
> >> session is not timing out after 1 minute )
> >
> > This appears to be correct. I can't speak as to why your servlet
> > container wouldn't be honoring a 1-minute timeout, but this would be
> > out of Shiro's control since you're using Servlet Container-based
> > session management.
> >
> > HTH,
> >
> > --
> > Les Hazlewood
> > CTO, Stormpath | http://stormpath.com | 888.391.5282
> > twitter: @lhazlewood | http://twitter.com/lhazlewood
> > blog: http://leshazlewood.com
> > stormpath blog: http://www.stormpath.com/blog
>
Re: Starting shiro 1.2 securityManager.sessionManager.globalSessionTimeout
= 1800000 no longer configurable
Posted by Dan Tran <da...@gmail.com>.
Hi Les,
Not sure if my issue related to this
https://issues.apache.org/jira/browse/SHIRO-240?
Perhaps, i should reopen SHIRO-240?
-Dan
On Wed, May 2, 2012 at 6:56 AM, Les Hazlewood <lh...@apache.org> wrote:
> On Mon, Apr 30, 2012 at 2:38 PM, Dan Tran <da...@gmail.com> wrote:
>>
>> due to this config
>>
>> <bean id="securityManager"
>> class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
>> [....]
>> <property name="sessionManager.globalSessionTimeout" value="1800000" />
>> [....]
>> </bean>
>
> The above config is only valid if you've configured Shiro to use a
> 'native' session manager. By default, the DefaultWebSecurityManager
> uses a Servlet Container-based session manager, which delegates all
> session management behavior to the Servlet Container.
>
>> So I ended up to add this into my web.xml
>>
>> <session-config>
>> <session-timeout>30</session-timeout>
>> </session-config>
>>
>> I dont think this is working either ( i change the value to 1 and
>> session is not timing out after 1 minute )
>
> This appears to be correct. I can't speak as to why your servlet
> container wouldn't be honoring a 1-minute timeout, but this would be
> out of Shiro's control since you're using Servlet Container-based
> session management.
>
> HTH,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog