Hi,
I have some questions regarding sessions and the API behaviour.
If I execute the following code:
Factory<org.apache.shiro.mgt.SecurityManager> factory =
new IniSecurityManagerFactory("vkb.ini");
org.apache.shiro.mgt.SecurityManager securityManager =
factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
Subject user = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("user",
"battle1");
user.login(token);
Session session = user.getSession();
session.setTimeout(0);
user.logout();
The logout method causes the following exception to occur:
Exception in thread "main" org.apache.shiro.session.ExpiredSessionException:
Session with id [7c3d80f2-ae4c-49b5-9a2d-a2c0f39cd904] has expired. Last
access time: 28/09/11 09:35. Current time: 28/09/11 09:35. Session timeout
is set to 0 seconds (0 minutes)
at
org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
at
org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
at
org.apache.shiro.subject.support.DelegatingSubject.logout(DelegatingSubject.java:322)
at
com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:45)
The only reason I'm calling setTimeout(0) is to simulate the session
expiring due to a timeout that occurs in the system. Why would the logout
fail just because the session has expired? How can I get around this issue?
If I execute the following code:
Factory<org.apache.shiro.mgt.SecurityManager> factory =
new IniSecurityManagerFactory("vkb.ini");
org.apache.shiro.mgt.SecurityManager securityManager =
factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
Subject user = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("user",
"battle1");
user.login(token);
user.login(token);
user.login(token);
user.login(token);
user.login(token);
Session session = user.getSession();
session.setTimeout(0);
user.login(token);
The last login command throws an exception with the following stack trace:
Exception in thread "main" org.apache.shiro.session.ExpiredSessionException:
Session with id [96aa8e29-4a55-4c79-be48-8ed90f49da85] has expired. Last
access time: 28/09/11 09:41. Current time: 28/09/11 09:41. Session timeout
is set to 0 seconds (0 minutes)
at
org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:276)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:180)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.removeAttribute(AbstractNativeSessionManager.java:220)
at
org.apache.shiro.session.mgt.DelegatingSession.removeAttribute(DelegatingSession.java:159)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at
org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
at
com.thalesgroup.battlelab.vkb.test.SecurityTest.main(SecurityTest.java:49)
Is this the same problem. Why can't I login after the a session has
expired? How can I login after a session has expired?
It is probably me misunderstanding the API but any help would be greatly
appreciated.
Best regards
Matt
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Question-regarding-Sessions-tp6839424p6839424.html
Sent from the Shiro User mailing list archive at Nabble.com.
