Hi everyone,
I've created a web project in JavaEE6 stack and integrated Shiro for
authentication (I documented here:
http://czetsuya-tech.blogspot.com/2012/10/how-to-use-shiro-with-jdbc-on-javaee6.html),
but I've encountered a problem with the Singleton producer approach, wherein
Subject.getPrincipal().getSession() returns different session id. And so
I've followed the shiro web tutorial and, the session problem is fixed.
Currently I still have 1 problem on logout, the log shows that I'm able to
successfully logout and the deleteMe cookie is added. But for some reason
the part of code subject.logout() throws:
DEBUG o.a.shiro.mgt.DefaultSecurityManager - Resolved SubjectContext context
session is invalid. Ignoring and creating an anonymous (session-less)
Subject instance.
org.apache.shiro.session.UnknownSessionException: There is no session with
id [ee30b9ca734dd1ef3fa97f7298bf]
The logout code:
public String logout() {
Subject subject = SecurityUtils.getSubject();
if (subject != null) {
subject.logout();
}
return "/home.xhtml?faces-redirect=true";
}
I'm also pasting my shiro.ini and web.xml file in case I have misconfigured
something, also I've encountered multiple session id before with this config
is it still possible (previously I did not setup web.xml but configured
ShiroFilter on a Singleton bean with Subject producer but I guess it won't
work for Shiro)?
shiro.ini:
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users
where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM
czetsuya_users WHERE username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from
user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM czetsuya_roles a INNER
JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c
ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from
roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM czetsuya_permissions
WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = saltedJdbcRealm
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = shiro-activeSessionCache
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds = 30 mins
sessionValidationScheduler.interval = 1800000
securityManager.sessionManager.sessionValidationScheduler =
$sessionValidationScheduler
securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya
# 1,800,000 milliseconds = 30 mins
securityManager.sessionManager.globalSessionTimeout = 1800000
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml
securityManager.cacheManager = $cacheManager
czetsuyaFilter =
org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
czetsuyaFilter.loginUrl = /faces/login.xhtml
czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml
# logout.redirectUrl = /faces/login.xhtml
[urls]
/login.xhtml = czetsuyaFilter
/secure/** = czetsuyaFilter
/api/** = noSessionCreation, czetsuyaFilter
# /logout = logout
web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";
version="3.0">
<welcome-file-list>
<welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Shiro-session-problem-during-logout-with-JavaEE6-JSF-CDI-tp7577906.html
Sent from the Shiro User mailing list archive at Nabble.com.
