Hi,
I'm building a Web app using Shiro as a basic for authentication and RBAC. I'm using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs. /login.jsp = formAuth /logout = logoutFilter /** = formAuth Now I'm trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I've added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token's principal. Login failures work in the same way. So far so good. securityManager.authenticator.authenticationListeners = $auditLogAuthListener But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set. Has anyone got this to work who could give me a pointer or two to what I'm doing wrong? It would be much appreciated, Thanks, Richard
