You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by jeffp <je...@gmail.com> on 2011/12/31 19:27:35 UTC

Issue with Shiro authorization getting 'cleared'

I have a Spring web application with Shiro configured with a custom Realm for
authentication/authorization.  Everything works as expected upon login and
for several minutes afterwards with an authenticated User having appropriate
Authorization via Roles/Permissions.

The issue is that Shiro loses the Authorization information seemingly at
random, but the Session remains valid.  The application can still get a
Principal from the Shiro session, but it has no roles/permissions associated
with it any longer.  I'm using JSP tags as well as the API and both agree
that the roles/permissions are not available.  The filterChainDefinitions
still work correctly.  If explicitly call clearCachedAuthorizationInfo(...)
in the realm it clears up the issue for a short period of time.

Logout/Login does not always resolve the issue immediately and at one point
I could predict the Authorization going way 2 minutes after login, however
changing the Realm configuration to explicitly set a CacheManager changed
that randomly losing the roles/perms.

I've been through the documentation and forums several times, added a
SessionListener, CacheListeners, but not seeing evictions, removals or
expires.  I can see the 'shiro-activeSessionCache' being updated for
Sessions, but that's all the cache activity I see.

I'm out of ideas.  I was under the impression that Shiro handles its own
Cache evictions, etc and that's why EhCache is configured with eternal=true
& TTL=0. 

Does anybody see an issue with my configuration below or seen this issue
before?

applicationContext.xml
	 <bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
	    <property name="securityManager" ref="securityManager"/>
	    <property name="loginUrl" value="/login.jsp"/>
		<property name="filterChainDefinitions">
		    <value>
        		/login.jsp = authc
        		/sm/** = authc
    		</value>
  		</property>		
	 </bean>
					
	<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
	    <property name="sessionMode" value="native"/>
	    <property name="realm" ref="siteRealm"/>
	    <property name="sessionManager" ref="sessionManager"/>
	    <property name="cacheManager" ref="cacheManager"/>
	</bean>
	
	<bean id="cacheManager"
class="org.apache.shiro.cache.ehcache.EhCacheManager">
	    <property name="cacheManager" ref="ehCacheManager"/>
	</bean>

	<bean id="ehCacheManager" 
	    class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>

	<bean id="sessionDAO" 
	    class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"/>
	
	<bean id="sessionManager"
	    class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
	    <property name="globalSessionTimeout" value="3600000"/> 
	    <property name="sessionDAO" ref="sessionDAO"/>
	</bean>

	<bean id="credentialsMatcher"
class="org.apache.shiro.authc.credential.Sha256CredentialsMatcher">
		<property name="storedCredentialsHexEncoded" value="false"/>
		<property name="hashIterations" value="1024"/>
	</bean>
	
	<bean id="siteRealm" class="com.jeffp.SiteRealm">
		<property name="credentialsMatcher" ref="credentialsMatcher"/>
		<property name="cacheManager" ref="cacheManager"/>
		<property name="authorizationCacheName" value="shiro-activeSessionCache"/>
	</bean>


ehcache.xml
    <cache name="shiro-activeSessionCache"
           maxElementsInMemory="10000"
           overflowToDisk="true"
           eternal="true"
           timeToLiveSeconds="0"
           timeToIdleSeconds="0"
           diskPersistent="true"
           diskExpiryThreadIntervalSeconds="600">
           <cacheEventListenerFactory
class="com.jeffp.MyCacheEventListenerFactory"/>
    </cache>

    <cache name="org.apache.shiro.realm.text.PropertiesRealm-0-accounts"
           maxElementsInMemory="1000"
           eternal="true"
           overflowToDisk="true">
           <cacheEventListenerFactory
class="com.jeffp.MyCacheEventListenerFactory"/>
    </cache>



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Issue-with-Shiro-authorization-getting-cleared-tp7140992p7140992.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Issue with Shiro authorization getting 'cleared'

Posted by Les Hazlewood <lh...@apache.org>.
Hi Jeff,

You're right, this needs to be clearer in the documentation.  If you
get a chance, would you please open a Jira issue for this so it isn't
lost?

Thanks,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Wed, Jan 4, 2012 at 1:39 PM, jeffp <je...@gmail.com> wrote:
> Cleaning up that code actually didn't solve it after all.  However, I did
> figure this out by digging through the source of AuthorizingRealm.
>
> It turns out that this was a cache "problem".  AuthorizingRealm requires its
> own cache to be defined and sans doing that reverts back to the default
> cache (2 minute cache).  The cache HAS to be named as follows:
>
> authorizationCacheName = getClass().getName() +
> DEFAULT_AUTHORIZATION_CACHE_SUFFIX;
>
> where the suffix is ".authorizationCache".  Failing to define an eternal
> cache for this results in really odd behavior.  If you override
> AuthorizingCache then you'll need to define the cache using your own class
> name as shown below.
>
>    <cache name="com.samples.MyCustomRealm.authorizationCache"
>           maxElementsInMemory="10000"
>           overflowToDisk="true"
>           eternal="true"
>           timeToLiveSeconds="0"
>           timeToIdleSeconds="0"
>           diskPersistent="true"
>           diskExpiryThreadIntervalSeconds="600">
>    </cache>
>
> Maybe this is in the documentation somewhere, but I totally missed it and it
> caused me a lot of time and effort to figure it out.  The documentation does
> say that expiring the cache without telling Shiro about it is a very bad
> thing -- I agree.   I hope this bit of information benefits somebody else.
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Issue-with-Shiro-authorization-getting-cleared-tp7140992p7152087.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Issue with Shiro authorization getting 'cleared'

Posted by jeffp <je...@gmail.com>.
Cleaning up that code actually didn't solve it after all.  However, I did
figure this out by digging through the source of AuthorizingRealm.

It turns out that this was a cache "problem".  AuthorizingRealm requires its
own cache to be defined and sans doing that reverts back to the default
cache (2 minute cache).  The cache HAS to be named as follows:

authorizationCacheName = getClass().getName() +
DEFAULT_AUTHORIZATION_CACHE_SUFFIX;

where the suffix is ".authorizationCache".  Failing to define an eternal
cache for this results in really odd behavior.  If you override
AuthorizingCache then you'll need to define the cache using your own class
name as shown below.

    <cache name="com.samples.MyCustomRealm.authorizationCache"
           maxElementsInMemory="10000"
           overflowToDisk="true"
           eternal="true"
           timeToLiveSeconds="0"
           timeToIdleSeconds="0"
           diskPersistent="true"
           diskExpiryThreadIntervalSeconds="600">
    </cache>

Maybe this is in the documentation somewhere, but I totally missed it and it
caused me a lot of time and effort to figure it out.  The documentation does
say that expiring the cache without telling Shiro about it is a very bad
thing -- I agree.   I hope this bit of information benefits somebody else.


--
View this message in context: http://shiro-user.582556.n2.nabble.com/Issue-with-Shiro-authorization-getting-cleared-tp7140992p7152087.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Issue with Shiro authorization getting 'cleared'

Posted by Les Hazlewood <lh...@apache.org>.
Hi Jeff,

Glad to hear you resolved it!

Cheers,

Les

On Sun, Jan 1, 2012 at 9:49 PM, jeffp <je...@gmail.com> wrote:
> This is resolved.  Not a configuration issue, but rather a coding issue.
> Part of the application allows a user with permissions to view/edit other
> users and there was sloppy handling between currentUser and the viewed user
> objects that caused the problem.
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Issue-with-Shiro-authorization-getting-cleared-tp7140992p7142954.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Issue with Shiro authorization getting 'cleared'

Posted by jeffp <je...@gmail.com>.
This is resolved.  Not a configuration issue, but rather a coding issue. 
Part of the application allows a user with permissions to view/edit other
users and there was sloppy handling between currentUser and the viewed user
objects that caused the problem.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Issue-with-Shiro-authorization-getting-cleared-tp7140992p7142954.html
Sent from the Shiro User mailing list archive at Nabble.com.