Using Apache Shiro 1.2.1 and EHCache 2.6.0 I am attempting to setup my JSF 2 based web application to use Shiro for it's authentication and authorization. I have setup a custom realm using db4o as the storage mechanism. The web application itself is running on Glassfish 3.1.2.2. I use the builtin *passthru* filter to allow me to use a JSF page to prompt for the authentication credentials. This login JSF page then uses a method on a request scoped bean to authenticate the user and if successful return a String that will take the user to a secure page, otherwise it returns null to bring the user back to the same login page with error messages displayed. When I allow Shiro to leverage (by default) the underlying servlet session management of the server everything works just fine. When I attempt to setup native session management with EHCache things start to behave poorly. Now when I authenticate the container immediately throws a "javax.faces.application.ViewExpiredException". The following is my shiro.ini file.
[main] ; Development configuration overrides ssl.enabled = false ; Production configuration sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO sessionDAO.activeSessionsCacheName = shiro-activeSessionsCache genericSessionListener = mylisteners.ShiroSessionListener sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager sessionManager.globalSessionTimeout = 3600000 sessionManager.sessionIdCookieEnabled = true sessionManager.sessionListeners = $genericSessionListener sessionManager.sessionDAO = $sessionDAO cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager cacheManager.cacheManagerConfigFile = classpath:ehcache.xml passthru = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter passthru.loginUrl = /login.jsf?faces-redirect=true logout.redirectUrl = /index.jsf?faces-redirect=true credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher credentialsMatcher.hashAlgorithmName = SHA-512 credentialsMatcher.hashSalted = true credentialsMatcher.storedCredentialsHexEncoded = true db4oRealm = myrealms.Db4oRealm db4oRealm.credentialsMatcher = $credentialsMatcher securityManager.realms = $db4oRealm securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager [urls] ; Development configuration overrides ; Production configuration /u/** = ssl[8181], passthru, roles[ROLE_USER] /a/** = ssl[8181], passthru, roles[ROLE_ADMINISTRATOR] /logout = logout /** = anon If I comment out the following two lines it reverts back to the default session management (delegation to the web container) and all works as expected. ;securityManager.cacheManager = $cacheManager ;securityManager.sessionManager = $sessionManager I took care to follow the instructions as depicted on the reference manual in the sections on session management configuration. So far I have been unable to determine the source of the problem. I have a suspicion that perhaps the use of the *passthru* filter for authentication (or my particular usage of it) may be the culprit. Any suggestions or ideas would be greatly appreciated. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Native-Shiro-session-expires-immediately-upon-authentication-using-passthru-filter-tp7577786.html Sent from the Shiro User mailing list archive at Nabble.com.
