Hi Mad, What is your UI technology? My application is in Flex, how can I tell my flex client to open a login page when session expires.
Could you post ur web.xml configuration. We are not using any configuration for urls, I am only using main section to configure realm and session time out. Thanks Balajee ________________________________ From: mad rug <[email protected]> [mailto:mad rug <[email protected]>] Sent: Monday, September 07, 2009 5:49 PM To: [email protected] Subject: Re: Losing session Hi Les, I finally updated my Shiro snapshot and, yes, the session timeout now works nicely. Thanks for the fixes! Also, now I notice that everytime the session expires, I get redirected to my configured login page. This is nice, but I'd like to be able to configure this further, like redirecting to some special notice page ("your session expired due to long inactivity time, click here to login again"). How can I do it? Also, I read your suggestion about SessionListener, but I'm confused how can it help me to handle session expirations, because it only gives me the expired session. What's the suggested way to do this? Thanks! On Fri, Sep 4, 2009 at 1:33 PM, <[email protected]> wrote: Hi Les, As a work around where should I set cachemanager. I am using ShiroFilter for flex request. Once ShiroFilter execution over I am calling my remote services using BlazeDS. Could you suggest me the best place to set cache manager. Thanks Balajee ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Les Hazlewood <[email protected]> Sent: Friday, September 04, 2009 5:32 PM To: [email protected] Subject: Re: Losing session You need to specify a SessionListener on the SecurityManager instance: org.apache.shiro.session.SessionListener sessionListener = new MySessionListener(); securityManager.addSessionListener(yourSessionListener); Currently, because there is no setSessionListener method (only for a collection) and collections support does not work in the INI configuration, you can't configure this in web.xml or shiro.ini - it needs to be in code. This is a limitation to the .ini file format and makes it difficult to configure object graphs. The devs have discussed other configuration mechanisms in the past, and we think we'll need a better solution for 1.0. Stay tuned for that. Cheers, Les On Fri, Sep 4, 2009 at 11:05 AM, wrote: > Hi Mad, > > I have taken new source doe few hours again and build it with mavan, > > Now I am able to set session Timeout but still couldn't resolve how to get > the notification when session expired on server so that I can send some > message to client. > > I am using flex and java in my application so I have to send a message using > blazeDS to flex when ever session timed out. > > > > @Les: could u please tell how to get some kind of notification when session > timed out . > > > > Thanks > > Balajee > > > > ________________________________ > > From: mad rug [mailto:mad rug ] > Sent: Friday, September 04, 2009 5:01 PM > To: [email protected] > Subject: Re: Losing session > > > > Balajee, > > > > No, my issue is not fixed yet, but I haven't investigated it further... I > still couldn't get the time to try the latest Shiro snapshot, as I'm with > other tasks in hand. > > > > Is this configuration you posted making the expire timeout work? Are you > using the latest snapshot? > > If this is not the fix, let us know if you find it. As soon as I go back to > this issue and discover something, I'll send a mail. > > > > Regards, > > Mad > > On Fri, Sep 4, 2009 at 11:24 AM, Les Hazlewood > wrote: > > Please don't use the 'sm' alias. It has been removed from the latest > Shiro snapshot. It was causing problems and it should have never been > enabled - there is no way to specify aliases for anything else in > configuration and this one special case was causing problems, so it > was better to remove it and have the securityManager work like > everything else. > > Just use the 'securityManager' bean name from now on please. > > - Les > > On Fri, Sep 4, 2009 at 9:01 AM, wrote: >> Hi Les, >> >> Even those I specified configuration I nweb.xml as below: >> >> [main] >> >> realmA = com.xymz.abc.imp.myDAo >> >> securityManager = >> org.apache.shiro.web.DefaultWebSecurityManager >> >> sessionManager = >> org.apache.shiro.web.session.DefaultWebSessionManager >> >> sessionManager.globalSessionTimeout = 300000 >> >> securityManager.sessionMode = native >> >> securityManager.sessionManager = $sessionManager >> >> >> >> When I debug into deeper I found the root as below >> >> Web.xml configured securityManger is replacing by default securityManager >> which was created in createSecurityManagerForSection method of >> IniConfiguration class. >> >> In this method following snippet of code is there as defaults >> >> defaults.put("securityManager", securityManager); >> >> //convenient alias: >> >> defaults.put("sm", securityManager); >> >> >> >> SecurityManager created by key "securityManager" is replacing by key "sm" >> by following line >> >> >> >> if (value instanceof RealmSecurityManager) { >> >> securityManager = (RealmSecurityManager) value; >> >> } >> >> >> >> If I add following code along with above web.xml configuration then it is >> configuring correctly. >> >> >> >> sm = >> org.apache.shiro.web.DefaultWebSecurityManager >> >> sm.sessionMode = native >> >> sm.sessionManager = $sessionManager >> >> >> >> Both the default securityMangers are replaced by web.xml configured >> values. >> >> >> >> May I know what is the purpose of defaults.put("sm" ," securityManager"); >> >> >> >> Could you please tell us how to tell the end user that session expired. >> >> >> >> Thanks >> >> Balajee >> >> >> >> ________________________________ >> >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Les Hazlewood >> Sent: Tuesday, August 25, 2009 4:43 PM >> To: [email protected] >> Subject: Re: Losing session >> >> >> >> Hi Mad, >> >> Wait until tomorrow when hopefully the trunk is back to being stable >> again - then you should try the latest trunk as I recall a session >> timeout bug being fixed early last week. >> >> - Les >> >> On Tue, Aug 25, 2009 at 10:14 AM, mad rug wrote: >>> I'm still troubled with this... >>> I keep losing my session after 30 minutes (default timeout), no matter >>> the >>> user activity. I need to fix this to allow session expiration after some >>> time of inactivity, and present nice messages when the session expires. >>> What's the way to do this? >>> Thanks! >>> >>> On Fri, Aug 21, 2009 at 12:57 PM, mad rug wrote: >>>> >>>> Well, I might try it then... weekend is coming, and I can get what I had >>>> to do until Monday, and still fix this... I hope :-P >>>> Other notes: >>>> - I thought that I may change the sessionValidationInterval property to >>>> a >>>> lower value so the session gets invalidated quickly, but I couldn't find >>>> it >>>> on DefaultWebSecurityManager, even though it >>>> extends AbstractValidatingSessionManager; >>>> - I read about autoCreateSessionAfterInvalidation, that it is defaulted >>>> to >>>> true, I got a doubt: if the session is replaced by a new one, like I >>>> guess >>>> it is happening in my case, then this is merely a dev convenience to let >>>> the >>>> user log itself using the already available new session, but all the >>>> data >>>> stored in the previous session is gone, is that right? >>>> I implemented a SessionListener, but I'm now unsure how it will help me. >>>> First, it does notify me on session timeout, but all that I get is the >>>> expired session... I want to notify the user with some 'session expired, >>>> login again' message, but an expired session won't help me on that, I >>>> guess. >>>> How can I do it? >>>> Second, I used the listener to set my 10s timeout by code to test >>>> expiration, and it expires my session after the 10s, but no matter if >>>> I'm >>>> inactive or performing actions and navigating around my app all the >>>> time. >>>> Is >>>> this right, or is that one of your fixed bugs? >>>> Thanks again Les. You've been invaluable to get my application working! >>>> >>>> On Fri, Aug 21, 2009 at 12:23 PM, Les Hazlewood >>>> wrote: >>>>> >>>>> In that case you will want the latest snapshot version - now that I >>>>> think about it, I think one of those bugs did affect session timeout. >>>>> >>>>> On Fri, Aug 21, 2009 at 11:07 AM, mad rug wrote: >>>>> > Les, >>>>> > I'm using native session ( >>>>> > value="shiro"/>). For >>>>> > sure I'm not with the latest version of shiro... I'm using this >>>>> > snapshot for >>>>> > over two months. As you say it is unlikely that it is related to the >>>>> > last >>>>> > fixes, I'll try to keep this version, unless things do not get in >>>>> > line. >>>>> > I just tested global timeout ( >>>>> > value="10000"/> ), but the session is not expiring as fast as I >>>>> > expected... >>>>> > it lasted minutes. Is a number as low as this accepted? I used 10s >>>>> > for >>>>> > testing... I plan to use something around 15 minutes. >>>>> > I use no listeners so far, but I guess they will do the job. As I >>>>> > said, >>>>> > I >>>>> > store some user data on the session (name, nick, company it works >>>>> > for...) >>>>> > and this data is put on the header of every page, so if the listener >>>>> > is >>>>> > called the first time the expired session is accessed, it will be >>>>> > fine. >>>>> > I'll try that right now... any problem, I'll bother you again! ;-) >>>>> > Thanks again! >>>>> > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood >>>>> > wrote: >>>>> >> >>>>> >> Hi Mad, >>>>> >> >>>>> >> Are you using standard ServletContainer sessions? or Shiro's native >>>>> >> sessions? >>>>> >> >>>>> >> If using native sessions, ensure you're using the latest version of >>>>> >> Shiro - a few session-related bugs were fixed over the last month. >>>>> >> I >>>>> >> doubt they would be related to what you're seeing, but at least its >>>>> >> worth a try. >>>>> >> >>>>> >> You can also set the global session timeout (for all sessions) >>>>> >> setting >>>>> >> sessionManager.globalSessionTimeout = desiredMilliseconds. >>>>> >> >>>>> >> Also, you could implement a org.apache.shiro.session.SessionListener >>>>> >> to listen to session lifecycle events >>>>> >> (securityManager.setSessionListeners(Collection >>>>> >> listeners); ). Note however that session validation (for >>>>> >> expiration) >>>>> >> is done lazily: you won't receive an 'expiredSession' notification >>>>> >> the exact instant it expires. You'll receive the notification if an >>>>> >> expired session is ever accessed or the next time Shiro's session >>>>> >> validator executes (configurable - defaults to once per hour I >>>>> >> think). >>>>> >> >>>>> >> Finally, if you want to know about logins and logouts, don't use a >>>>> >> SessionListener for this - use an >>>>> >> org.apache.shiro.authc.AuthenticationListener >>>>> >> >>>>> >> >>>>> >> (securityManager.setAuthenticationListeners(Collection >>>>> >> listeners); ). >>>>> >> >>>>> >> Regards, >>>>> >> >>>>> >> Les >>>>> >> >>>>> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug wrote: >>>>> >> > Hi >>>>> >> > I'm having some problem with my application. I use Shiro in a >>>>> >> > Spring >>>>> >> > MVC >>>>> >> > application much like the sample included with Shiro. I use Shiro >>>>> >> > session, >>>>> >> > and I store some logged user data in it (user ID, company that >>>>> >> > user >>>>> >> > belongs >>>>> >> > to, etc), but sometimes my app seem to be losing its session, like >>>>> >> > a >>>>> >> > timeout, but without long inactive periods. I notice it quickly >>>>> >> > because >>>>> >> > my >>>>> >> > header pages contain the name of the user and its company name, >>>>> >> > and >>>>> >> > they >>>>> >> > suddenly are gone, even though I remain authenticated >>>>> >> > ( >>>>> >> > still returns the user principal). >>>>> >> > I don't know where I am missing some config to make the session >>>>> >> > last >>>>> >> > longer... how can I handle it? >>>>> >> > Moreover, does Shiro provide any facility to handle session >>>>> >> > timeout, >>>>> >> > and >>>>> >> > maybe redirect to some warning page? >>>>> >> > Thanks! >>>>> > >>>>> > >>>> >>> >>> > >
