Thanks Jim! On Tue, Feb 21, 2017 at 3:03 PM, Jim Manico <jim.man...@owasp.org> wrote:
> Threadlocal and similar in Tomcat is problematic. I had to drop > Threadlocal optimization from the OWASP Java Encoder (which sped it up > dramatically) because of Tomcat. > > I am not sure if this is relevant, but though I'd drop this note anyhow. > > Aloha, Jim > > > On 2/21/17 3:04 AM, sreenivas Harshith (JIRA) wrote: > > [ https://issues.apache.org/jira/browse/SHIRO-613?page= > com.atlassian.jira.plugin.system.issuetabpanels:comment- > tabpanel&focusedCommentId=15875930#comment-15875930 ] > > > > sreenivas Harshith edited comment on SHIRO-613 at 2/21/17 1:04 PM: > > ------------------------------------------------------------------- > > > > [~bdemers] > > > > > > Found the Issue. The issue was with this SecurityUtils.getSubject() > method I used to acquire the current executing user. This method uses > ThreadContext and I guess the subject is getting shared across threads as I > am Using TomEE With Http-Nio. After I login some 5 times, the next call to > login again SecurityUtils.getSubject().IsAuthenticated() returns true > even before I call this login(token); and when i check the principals its > the same User. I changed it to > > Subject currentUser = new Subject.Builder().buildSubject(); > > After this change I am getting unique Session Id for each login Attempt > and even if some sessions are expired its not complaining. > > > > > > > > was (Author: sreenivash09): > > [~bdemers] > > > > > > > > > >> StoppedSessionException: Session with id has been explicitly stopped. > No further interaction under this session is allowed. > >> ------------------------------------------------------------ > ---------------------------------------------------------------- > >> > >> Key: SHIRO-613 > >> URL: https://issues.apache.org/jira/browse/SHIRO-613 > >> Project: Shiro > >> Issue Type: Bug > >> Components: Authentication (log-in), Session Management > >> Affects Versions: 1.3.2 > >> Reporter: sreenivas Harshith > >> Labels: Sessiontimeout, StoppedSessionException, login, > session > >> > >> I am using default shiro native session manager and Session DAO backed > by Db store for storing sessions. I have set the session timeout to 10 min > and I have the same user login multiple times, say 8 times. Once the > session is expired I tried to login with same user credentials from a > different client and shiro is calling this delete(Session sn) method > implemented in my DAO to delete those old sessions that are expired. Once > the deletion is completed it throws an exception with the deleted Session > id saying org.apache.shiro.session.StoppedSessionException: Session with > id [a9dd97a1-90d4-435c-b363-f74052dfa0dc] has been explicitly stopped. > No further interaction under this session is allowed, and it fails to > login the user. > > > > > > -- > > This message was sent by Atlassian JIRA > > (v6.3.15#6346) > >
