Threadlocal and similar in Tomcat is problematic. I had to drop Threadlocal optimization from the OWASP Java Encoder (which sped it up dramatically) because of Tomcat.
I am not sure if this is relevant, but though I'd drop this note anyhow. Aloha, Jim On 2/21/17 3:04 AM, sreenivas Harshith (JIRA) wrote: > [ > https://issues.apache.org/jira/browse/SHIRO-613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875930#comment-15875930 > ] > > sreenivas Harshith edited comment on SHIRO-613 at 2/21/17 1:04 PM: > ------------------------------------------------------------------- > > [~bdemers] > > > Found the Issue. The issue was with this SecurityUtils.getSubject() method I > used to acquire the current executing user. This method uses ThreadContext > and I guess the subject is getting shared across threads as I am Using TomEE > With Http-Nio. After I login some 5 times, the next call to login again > SecurityUtils.getSubject().IsAuthenticated() returns true even before I call > this login(token); and when i check the principals its the same User. I > changed it to > Subject currentUser = new Subject.Builder().buildSubject(); > After this change I am getting unique Session Id for each login Attempt and > even if some sessions are expired its not complaining. > > > > was (Author: sreenivash09): > [~bdemers] > > > > >> StoppedSessionException: Session with id has been explicitly stopped. No >> further interaction under this session is allowed. >> ---------------------------------------------------------------------------------------------------------------------------- >> >> Key: SHIRO-613 >> URL: https://issues.apache.org/jira/browse/SHIRO-613 >> Project: Shiro >> Issue Type: Bug >> Components: Authentication (log-in), Session Management >> Affects Versions: 1.3.2 >> Reporter: sreenivas Harshith >> Labels: Sessiontimeout, StoppedSessionException, login, session >> >> I am using default shiro native session manager and Session DAO backed by Db >> store for storing sessions. I have set the session timeout to 10 min and I >> have the same user login multiple times, say 8 times. Once the session is >> expired I tried to login with same user credentials from a different client >> and shiro is calling this delete(Session sn) method implemented in my DAO to >> delete those old sessions that are expired. Once the deletion is completed >> it throws an exception with the deleted Session id saying >> org.apache.shiro.session.StoppedSessionException: Session with id >> [a9dd97a1-90d4-435c-b363-f74052dfa0dc] has been explicitly stopped. No >> further interaction under this session is allowed, and it fails to login >> the user. > > > -- > This message was sent by Atlassian JIRA > (v6.3.15#6346)
