[jira] [Commented] (SHIRO-512) Race condition in Shiro's web container session timeout handling

Tue, 10 Mar 2015 06:23:46 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14354859#comment-14354859
 ] 

Denis Burlaka commented on SHIRO-512:
-------------------------------------

I also have similar issue:
org.apache.shiro.session.InvalidSessionException: 
java.lang.IllegalStateException: getAttribute: Session already invalidated
        at 
org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148)
 ~[HttpServletSession.class:1.2.3]
        at 
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) 
~[ProxiedSession.class:1.2.3]
        at 
org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) 
~[ProxiedSession.class:1.2.3]
        at 
org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
 ~[DelegatingSubject.class:1.2.3]
        at 
org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
 ~[DelegatingSubject.class:1.2.3]
        at 
org.apache.shiro.subject.support.DelegatingSubject.hasPrincipals(DelegatingSubject.java:126)
 ~[DelegatingSubject.class:1.2.3]
        at 
org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:158)
 ~[DelegatingSubject.class:1.2.3]


> Race condition in Shiro's web container session timeout handling
> ----------------------------------------------------------------
>
>                 Key: SHIRO-512
>                 URL: https://issues.apache.org/jira/browse/SHIRO-512
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in)
>    Affects Versions: 1.2.2, 1.2.3
>            Reporter: Lenny Primak
>            Priority: Minor
>
> I cannot find anywhere that Shiro uses HttpSessionListener to trap 
> sessionDestroyed event from the container. 
> I believe this is leading to a rare race condition in my application, as 
> Shiro thinks the session is still active, 
> but in reality, the web session has been destroyed. 
> Code:  SecurityUtils.getSubject().getPrincipal(); 
> Relevant bit of stack trace: 
> Caused by: org.apache.shiro.session.InvalidSessionException: 
> java.lang.IllegalStateException: PWC2778: getAttribute: Session already 
> invalidated 
>         at 
> org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148)
>  
>         at 
> org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) 
>         at 
> org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
>  
>         at 
> org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
>  
>         at 
> org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149)
>  
> Link to the mailing list thread: 
> http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to