Hi Les
Once again, thanks for taking the time to look at this problem.
Les Hazlewood-2 wrote
> It is strongly recommended in web apps that a logout call should do
> nothing but call subject.logout() and then immediately redirect to a
> new view.
I've removed as much code as possible from the method in the backing bean
which is executed when the user clicks the logout button. The code is as
follows:
public String submit() {
try {
System.out.println("****Logging out****");
SecurityUtils.getSubject().logout();
} catch (IllegalStateException e) {
System.out.println("Do nothing");
} catch (UnknownSessionException e) {
System.out.println("Do nothing");
}
Faces.redirect("login.xhtml");
return null;
}
I've even tried commenting out the redirect so that clicking on the logout
button should just end the session and nothing more, but the error is still
thrown and uncaught by the the above catch block.
Les Hazlewood-2 wrote
> I'd connect a debugger and put a breakpoint on
> DelegatingSubject.getSession() to see what in the call stack is
> attempting to get a session after you've explicitly called logout.
I've set a breakpoint on DelegatingSubject.getSession() and
DelegatingSubject.getSession(boolean). The DelegatingSubject.getSession()
method was not called, but the DelegatingSubject.getSession(boolean) method
was called four times after the user clicked on the logout button and in all
four cases the Logout.submit() method which in the backing bean method is in
the call stack.
The first time the getSession(boolean) method is called, the first 5 lines
of the call stack are:
WebDelegatingSubject(DelegatingSubject).getSession(boolean) line: 316
WebDelegatingSubject(DelegatingSubject).clearRunAsIdentities() line: 475
WebDelegatingSubject(DelegatingSubject).clearRunAsIdentitiesInternal() line:
353
WebDelegatingSubject(DelegatingSubject).logout() line: 362
Logout.submit() line: 18
The second time the getSession(boolean) method is called, the first 6 lines
of the call stack are:
WebDelegatingSubject(DelegatingSubject).getSession(boolean) line: 316
WebDelegatingSubject(DelegatingSubject).getRunAsPrincipalsStack() line: 467
WebDelegatingSubject(DelegatingSubject).getPrincipals() line: 153
DefaultWebSecurityManager(DefaultSecurityManager).logout(Subject) line: 547
WebDelegatingSubject(DelegatingSubject).logout() line: 363
Logout.submit() line: 18
The third time the getSession(boolean) method is called, the first 7 lines
of the call stack are:
WebDelegatingSubject(DelegatingSubject).getSession(boolean) line: 316
DefaultSubjectDAO.removeFromSession(Subject) line: 268
DefaultSubjectDAO.delete(Subject) line: 281
DefaultWebSecurityManager(DefaultSecurityManager).delete(Subject) line: 397
DefaultWebSecurityManager(DefaultSecurityManager).logout(Subject) line: 559
WebDelegatingSubject(DelegatingSubject).logout() line: 363
Logout.submit() line: 18
The fourth time the getSession(boolean) method is called, the first 5 lines
of the call stack are:
WebDelegatingSubject(DelegatingSubject).getSession(boolean) line: 316
DefaultWebSecurityManager(DefaultSecurityManager).stopSession(Subject) line:
579
DefaultWebSecurityManager(DefaultSecurityManager).logout(Subject) line: 567
WebDelegatingSubject(DelegatingSubject).logout() line: 363
Logout.submit() line: 18
I've uploaded a new trace with org.apache.shiro set to FINEST to pastebin
here http://pastebin.com/tZwEhpWs <http://pastebin.com/tZwEhpWs> and I've
uploaded the full call stack with the times cross references to the
getSession(boolean) calls in the trace to pastebin here
http://pastebin.com/4eUr88yR <http://pastebin.com/4eUr88yR>
Would you be able to take a look at the trace and call stack to see whether
this sheds any light on what might be causing the problem please?
Kind Regards
Paul
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/UnknownSessionException-when-calling-logout-method-using-Shiro-s-built-in-session-management-tp7578804p7578826.html
Sent from the Shiro User mailing list archive at Nabble.com.
