There are three things I can think of off the top of my head: 1. Your ShiroFilter instance does not filter 100% of requests to your app and something in non-Shiro-Filtered request calls request.getSession() creating a Servlet Container session. This is the most likely culprit. Ensure that your ShiroFilter filter mapping is /* and that it sits in front of (above) all other servlet filter mappings in web.xml.
2. Your ShiroFilter catches all requests but it is not the first one in the filter chain. Maybe there is another filter in front of it in the filter chain that calls request.getSession(), which would create a Servlet Container session since the ShiroFilter hasn't executed yet and wasn't able to intercept the getSession() call and direct it to its own Session Management mechanism. 3. If you're using a dynamic framework (e.g. like Grails or something similar) or even a homegrown framework, filters could be injected in the filter chain front of the ShiroFilter without you knowing it. In any event, I'd attach a debugger to your app and stick a breakpoint on HttpServletRequest.getSession() and HttpServletRequest.getSession(boolean) to see what in the call stack is triggering the Servlet Container session. If you don't see Shiro in the call stack, then you'll have found what is causing the problem. Finally, if that still doesn't get you anywhere, please share your relevant Shiro config so we can look for any 'gotchas'. HTH! -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Thu, Sep 15, 2011 at 5:38 PM, dan <[email protected]> wrote: > Hi -- > > I'm trying to convert our existing shiro-based web project over to native > sessions. This way, I can handle sessions in a clustered server > environment. > > To shiro.ini, I added EnterpriseCacheSessionDAO and set its sessionDAO to a > CacheManager that I have that uses Hazelcast. I also specified > DefaultWebSessionManager. > > In web.xml, BamIniShiroFilter is the first filter. > > Now, when I go to page with rememberMe, I see a JSESSIONID with the shiro > format. Then when I go to another page, it switches to the tomcat format. > > When I go to the logon page, it displays JSESSIONID in tomcat's format. > > Our application is a bit complex, with a bunch of home-grown stuff and Java > Server Faces. > > I don't understand why any sessions are created with tomcat! Can you point > me to how to debug this? > > Dan > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Using-native-web-sessions-tp6799265p6799265.html > Sent from the Shiro User mailing list archive at Nabble.com.
