Update The error message was rather intimidating and it made me more eager to post it to the list. After some thought I decided to dig it a little bit more myself so I have downloaded the shiro source code and did some debugging.
What I came across is that the error was a side-effect from our existing login code where we invalidated the session before our login code to protect from session stealing attacks. So the shiro code that tried to remove key org.apache.shiro.subject.support.DelegatingSubject.RUN_AS_PRINCIPALS_SESSION_KEY is failing. Just some thoughts: Is shiro trying to clean the session from previous logins? Should this key be always present? Shouldn't shiro check if a Session is not invalidated before trying to remove that key? Giorgos -- View this message in context: http://shiro-user.582556.n2.nabble.com/Problem-when-integrating-shiro-in-webapp-deployed-on-IBM-websphere-tp6377316p6377784.html Sent from the Shiro User mailing list archive at Nabble.com.
