I am using Shiro with JBoss 7. Shiro is configured to use container-managed
sessions.
I have the requirement to record login and logout times of Shiro users to a
database (in seconds-since-the-epoch).
Handling login as well as explicit logout times was easy.
For instance to record the login I do a :
subject.login(token);
token.clear();
dbDAO.makeNoteOfLogin(getUsername(),
subject.getSession().getHost(), subject.getSession().getId().toString());
This inserts a row at the database "user-sessions" table like this:
principal | user_ip | user_session | login-time |
log-out-time
------------------------------------------------------------------------------------------------
james | 173.32.12.1 | IjsoKWB ... | 1354123490 | NULL (for
the time being)
To handle the explicit logout I overrode the onLogout(PrincipalCollection)
method of JdbcRealm in my custom realm code.
However I can't figure how to handle implicit logouts due to session expiry
in the web container as:
[1] Implementing the SessionListener interface only works for native-managed
sessions.
[2] When I tried to implement an HttpSessionListener instead and do the
following:
class MyHttpSessionListener {
...
public void sessionDestroyed(HttpSessionEvent se) {
SecurityUtils.getSubject().logout();
}
I got hit by the following exception:
/Session event listener threw exception:
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
accessible to the calling code, either bound to the
org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an
invalid application configuration./
So, how can I access the Principal, host-id and session-id of the session
that's expiring so that I may update the relevant row in my sessions'
tracking table at the database with a "log-out time" value ?
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/how-to-record-session-expiration-times-in-container-managed-deployments-tp7578005.html
Sent from the Shiro User mailing list archive at Nabble.com.
