Also, I am not using ShiroFilter, but as far as I can see it doesn't do a touch() on the session, so it shouldn't matter as far as I can see.
Anyone has any ideas? Thanks On Aug 7, 2014, at 1:47 AM, Lenny Primak wrote: > I am using Shiro 1.2.3 > > I cannot find anywhere that Shiro uses HttpSessionListener to trap > sessionDestroyed event from the container. > I believe this is leading to a rare race condition in my application, as > Shiro thinks the session is still active, > but in reality, the web session has been destroyed. > > Am I missing something or is this a bug? Should I file a JIRA? > > Code: SecurityUtils.getSubject().getPrincipal(); > > Relevant bit of stack trace: > > Caused by: org.apache.shiro.session.InvalidSessionException: > java.lang.IllegalStateException: PWC2778: getAttribute: Session already > invalidated > at > org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148) > at > org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) > at > org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) > at > org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) > at > org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149) > >
