I have an issue where a user's session suddenly is invalidated regardless of how short of time they've been idle. (Really, it's that they have to re-authenticate - I'm assuming it's because of a lost session.) I also can't swear to this, but it appears that all of my logged in users have this happen at the same time - i.e. occasionally all sessions are invalidated.
I'm using shiro-spring 1.1.0 with native sessions using Ehcache (although there is only one app server in the 'cluster' right now). I'm running on Tomcat 7.0. Of course, this could be an issue with my own configuration, a bug in Shiro or Ehcache or even Tomcat, but I'm not sure where my best bet is to investigate. Here is my full bean configuration file relative to security (including some references to some of my own Realms, etc. I'm assuming these are very unlikely candidates for this particular issue, since authentication/authorization works while there is a session). <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:util="http://www.springframework.org/schema/util"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd";> <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="SHA-256" /> <property name="storedCredentialsHexEncoded" value="false" /> </bean> <bean id="factorlabRealm" class="com.factorlab.security.FactorlabJPARealm"> <property name="userDao" ref="userDao" /> <property name="credentialsMatcher" ref="credentialsMatcher" /> <property name="name" value="factorlabRealm" /> </bean> <bean id="factorlabSubjectFactory" class="com.factorlab.security.FactorlabWebSubjectFactory"> <property name="userDao" ref="userDao" /> </bean> <bean id="ssoCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml" /> </bean> <bean id="ssoCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <property name="name" value="SSOCookie" /> <property name="path" value="/" /> </bean> <bean id="sessionDao" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"> <property name="cacheManager" ref="ssoCacheManager" /> </bean> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="sessionDAO" ref="sessionDao" /> <property name="sessionIdCookie" ref="ssoCookie" /> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="factorlabRealm" /> <property name="subjectFactory" ref="factorlabSubjectFactory" /> <property name="cacheManager" ref="ssoCacheManager" /> <property name="sessionManager" ref="sessionManager" /> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="loginUrl" value="/login.jsp" /> <property name="successUrl" value="/Home.jsp" /> <property name="securityManager" ref="securityManager" /> <property name="filterChainDefinitionMap"> <map> <entry key="*.html" value="anon" /> <entry key="/recover.jsp" value="anon" /> <entry key="/resetpassword.jsp" value="anon" /> <entry key="/*.jsp" value="authc" /> <entry key="/ws/forgotpass" value="anon" /> <entry key="/ws/resetForgotPassword" value="anon" /> <entry key="/ws/nonAuthenticatLabel" value="anon" /> <entry key="/mvc/**" value="authcBasic" /> <entry key="/ws/sfdc/**" value="authcSFDC" /> <entry key="/ws/**" value="authcBasic" /> </map> </property> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> </beans> -- View this message in context: http://shiro-user.582556.n2.nabble.com/Losing-session-regardless-of-timeout-tp7151602p7151602.html Sent from the Shiro User mailing list archive at Nabble.com.
