Hi everyone, I've created a web project in JavaEE6 stack and integrated Shiro for authentication (I documented here: http://czetsuya-tech.blogspot.com/2012/10/how-to-use-shiro-with-jdbc-on-javaee6.html), but I've encountered a problem with the Singleton producer approach, wherein Subject.getPrincipal().getSession() returns different session id. And so I've followed the shiro web tutorial and, the session problem is fixed.
Currently I still have 1 problem on logout, the log shows that I'm able to successfully logout and the deleteMe cookie is added. But for some reason the part of code subject.logout() throws: DEBUG o.a.shiro.mgt.DefaultSecurityManager - Resolved SubjectContext context session is invalid. Ignoring and creating an anonymous (session-less) Subject instance. org.apache.shiro.session.UnknownSessionException: There is no session with id [ee30b9ca734dd1ef3fa97f7298bf] I'm pasting my shiro.ini and web.xml file in case I have misconfigured something: shiro.ini: [main] saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl # any object property is automatically configurable in Shiro.ini file saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal # the realm should handle also authorization saltedJdbcRealm.permissionsLookupEnabled = true # If not filled, subclasses of JdbcRealm assume "select password from users where username = ?" # first result column is password, second result column is salt saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM czetsuya_users WHERE username = ? # If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?" saltedJdbcRealm.userRolesQuery = SELECT name FROM czetsuya_roles a INNER JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c ON c.id = b.user_id WHERE c.username = ? # If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?" saltedJdbcRealm.permissionsQuery = SELECT action FROM czetsuya_permissions WHERE role = ? # password hashing specification, put something big for hasIterations sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher sha256Matcher.hashAlgorithmName = SHA-256 sha256Matcher.hashIterations = 1 saltedJdbcRealm.credentialsMatcher = $sha256Matcher securityManager.realms = saltedJdbcRealm sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO sessionDAO.activeSessionsCacheName = shiro-activeSessionCache securityManager.sessionManager.sessionDAO = $sessionDAO sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler # 1,800,000 milliseconds = 30 mins sessionValidationScheduler.interval = 1800000 securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya # 1,800,000 milliseconds = 30 mins securityManager.sessionManager.globalSessionTimeout = 1800000 cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml securityManager.cacheManager = $cacheManager czetsuyaFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter czetsuyaFilter.loginUrl = /faces/login.xhtml czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml # logout.redirectUrl = /faces/login.xhtml [urls] /login.xhtml = czetsuyaFilter /secure/** = czetsuyaFilter /api/** = noSessionCreation, czetsuyaFilter # /logout = logout web.xml <web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; version="3.0"> <welcome-file-list> <welcome-file>home.xhtml</welcome-file> </welcome-file-list> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> <servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>/faces/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.jsf</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.faces</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.xhtml</url-pattern> </servlet-mapping> </web-app> -- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-intermittent-session-problem-with-JavaEE6-JSF-CDI-tp7577905.html Sent from the Shiro User mailing list archive at Nabble.com.
