Les, That's the same conclusion I came to. In fact, I'm not quite sure why that logic was in the logout method as it didn't seem to make sense. It was added long ago by another developer who is no longer on my team. I just wanted to make sure there wasn't something I was missing, so thanks for verifying this.
Tauren On Tue, Feb 8, 2011 at 3:34 PM, Les Hazlewood <[email protected]> wrote: > Hi Tauren, > > It looks to me like the invalidate() method is, under the covers, > invalidating the session. subject.logout() already does this > automatically (if a subject logs out, it is fully expected that their > session should always be stopped). Calling both would cause a problem > since the 2nd call clearly attempts to invalidate a session that is > already invalidated (throwing the exception). > > Also, for this code sequence: > > SecurityUtils.getSubject().logout(); > if (SecurityUtils.getSubject().isAuthenticated()) { > ... > } > > the isAuthenticated() check will _always_ return false. Once you log > out, the subject is no longer considered authenticated. So, just > reducing your code to this: > > SecurityUtils.getSubject().logout(); > return true; > > should work in all cases. > > Because the SecurityUtils.getSubject().isAuthenticated() check was > always returning false, invalidate() was always being called. Clearly > the wicket team changed something in their invalidate() logic between > releases, but I couldn't say what that was. > > HTH! > > Cheers, > > -- > Les Hazlewood > Founder, Katasoft, Inc. > Application Security Products & Professional Apache Shiro Support and > Training: > http://www.katasoft.com > > On Mon, Feb 7, 2011 at 7:18 PM, Tauren Mills <[email protected]> wrote: > > I'm seeing an exception when users log out of my Wicket application. It > > seems that the session is being looked up again after it has already been > > removed. See the exception below. > > This was not happening when using Wicket 1.4.6, but when I upgrade to > 1.4.15 > > I am getting exceptions. I have confirmed that simply changing wicket > > versions makes the problem go away or start happening -- no other changes > > are made to the app except upgrading Wicket. > > I have this logic in my AuthenticatedSession class (extends wicket's > > WebSession) that is called when a user requests to log out: > > public boolean logout() { > > log.info("Member logout: > > "+SecurityUtils.getSubject().getPrincipal()); > > SecurityUtils.getSubject().logout(); > > if (SecurityUtils.getSubject().isAuthenticated()) > > dirty(); > > else > > invalidate(); > > return true; > > } > > I can't even remember now why I have that isAuthenticated() test and > logic > > in there. At some point it must have done something, but maybe all I need > > now is just: > > SecurityUtils.getSubject().logout(); > > When I remove the if/then clause, I no longer get an exception. But I'm > > confused why upgrading Wicket would cause this to happen, as it seems > > unrelated. > > Any thoughts on what's going on here? > > Tauren > > > > 2011-02-08 00:58:06,478 WARN - AbstractHttpSessionStore - Error while > > invalidating Session Store: Session already invalidated > > java.lang.IllegalStateException: > > org.apache.shiro.session.UnknownSessionException: There is no session > with > > id [939f87f4-ee49-4347-944c-82e5cb95bebb] > > at > > > org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133) > > at > > > org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210) > > at org.apache.wicket.Session.invalidateNow(Session.java:882) > > at org.apache.wicket.Session.detach(Session.java:1196) > > at > com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72) > > at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481) > > at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218) > > at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462) > > at org.apache.wicket.RequestCycle.request(RequestCycle.java:545) > > at > org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486) > > at > > > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319) > > at > > > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088) > > at > > > org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359) > > at > > > org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275) > > at > > > org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) > > at > > > org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) > > at > > > org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344) > > at > > > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272) > > at > > > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81) > > at > > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > > at > > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > > at > > > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088) > > at > > > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) > > at > > > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) > > at > > > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088) > > at > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360) > > at > > > org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) > > at > org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) > > at > org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729) > > at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) > > at > org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) > > at org.mortbay.jetty.Server.handle(Server.java:324) > > at > org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) > > at > > > org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829) > > at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513) > > at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) > > at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) > > at > > > org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228) > > at > > > org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488) > > Caused by: org.apache.shiro.session.UnknownSessionException: There is no > > session with id [939f87f4-ee49-4347-944c-82e5cb95bebb] > > at > > > org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170) > > at > > > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236) > > at > > > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222) > > at > > > org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118) > > at > > > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105) > > at > > > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109) > > at > > > org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206) > > at > > > org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141) > > at > > > org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) > > at > > > org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131) > > ... 38 more >
