Re: UnknownSessionException when upgrading to Wicket 1.4.15 from Wicket 1.4.6 with Shiro 1.1.0

Tue, 08 Feb 2011 12:34:34 -0800 

Hi Tauren,

It looks to me like the invalidate() method is, under the covers,
invalidating the session.  subject.logout() already does this
automatically (if a subject logs out, it is fully expected that their
session should always be stopped).  Calling both would cause a problem
since the 2nd call clearly attempts to invalidate a session that is
already invalidated (throwing the exception).

Also, for this code sequence:

SecurityUtils.getSubject().logout();
if (SecurityUtils.getSubject().isAuthenticated()) {
...
}

the isAuthenticated() check will _always_ return false.  Once you log
out, the subject is no longer considered authenticated.  So, just
reducing your code to this:

SecurityUtils.getSubject().logout();
return true;

should work in all cases.

Because the SecurityUtils.getSubject().isAuthenticated() check was
always returning false, invalidate() was always being called.  Clearly
the wicket team changed something in their invalidate() logic between
releases, but I couldn't say what that was.

HTH!

Cheers,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Mon, Feb 7, 2011 at 7:18 PM, Tauren Mills <[email protected]> wrote:
> I'm seeing an exception when users log out of my Wicket application. It
> seems that the session is being looked up again after it has already been
> removed. See the exception below.
> This was not happening when using Wicket 1.4.6, but when I upgrade to 1.4.15
> I am getting exceptions. I have confirmed that simply changing wicket
> versions makes the problem go away or start happening -- no other changes
> are made to the app except upgrading Wicket.
> I have this logic in my AuthenticatedSession class (extends wicket's
> WebSession) that is called when a user requests to log out:
>     public boolean logout() {
>             log.info("Member logout:
> "+SecurityUtils.getSubject().getPrincipal());
>             SecurityUtils.getSubject().logout();
>             if (SecurityUtils.getSubject().isAuthenticated())
>                 dirty();
>             else
>                 invalidate();
>             return true;
>     }
> I can't even remember now why I have that isAuthenticated() test and logic
> in there. At some point it must have done something, but maybe all I need
> now is just:
> SecurityUtils.getSubject().logout();
> When I remove the if/then clause, I no longer get an exception. But I'm
> confused why upgrading Wicket would cause this to happen, as it seems
> unrelated.
> Any thoughts on what's going on here?
> Tauren
>
> 2011-02-08 00:58:06,478 WARN  - AbstractHttpSessionStore   - Error while
> invalidating Session Store: Session already invalidated
> java.lang.IllegalStateException:
> org.apache.shiro.session.UnknownSessionException: There is no session with
> id [939f87f4-ee49-4347-944c-82e5cb95bebb]
> at
> org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133)
> at
> org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210)
> at org.apache.wicket.Session.invalidateNow(Session.java:882)
> at org.apache.wicket.Session.detach(Session.java:1196)
> at com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72)
> at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481)
> at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218)
> at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462)
> at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
> at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486)
> at
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319)
> at
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
> at
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> at
> org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at
> org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088)
> at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
> at
> org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729)
> at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:324)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
> at
> org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
> at
> org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
> at
> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
> Caused by: org.apache.shiro.session.UnknownSessionException: There is no
> session with id [939f87f4-ee49-4347-944c-82e5cb95bebb]
> at
> org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
> at
> org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
> at
> org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
> at
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
> at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
> at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
> at
> org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206)
> at
> org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
> at
> org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
> at
> org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131)
> ... 38 more

Reply via email to