Yes, logout does work correctly with Shiro native sessions, and you are correct that session timeout isn’t pertinent in this particular case. I’ve never used logoutFilter directly, so I would start by looking at it’s source code and seeing if it does what you expect it to do.
> On May 4, 2016, at 4:55 PM, Richard Wheeldon <[email protected]> > wrote: > > Many thanks for the response. > > I’ve tried debugging it – that’s how I discovered that the principals list > was empty in the first instance but I’m not a Shiro expert and I’m rather > hazy on what’s supposed to be setting it in the first place. Any ideas? > Whilst it’s perfectly possible that I’ve found a bug I very much doubt it’s > the primary cause of my current problems – it would be a huge security hole > if something like logout didn’t work. > > I’m trying to use the native Shiro sessions with a simple MemorySessionDAO. > The plan is to put the session info into RDS eventually but I’m trying to > keep things simple until I get the basic stuff (i.e. login and logout) > working. I haven’t ruled out the possibility that the native session handling > is getting in the way but AFAICT it’s not. The cookies passed back and > forwards are all of the Shiroesque form: > JSESSIONID=44256c7e-dd9e-4614-adf9-205f581fc695; > _ga=GA1.1.775913481.1456225578 > > I’ve read the link you suggested but I’m not sure the section you refer to is > entirely pertinent. If I manually logout, surely that should invalidate the > current session immediately? Or have I misunderstood? > > Thanks, > > Richard > > From: Lenny Primak [mailto:[email protected]] > Sent: Wednesday, May 4, 2016 10:14 PM > To: [email protected] > Subject: Re: Recording logouts using AuthenticationListener > > Have you tried to debug it? Maybe you have found a bug. > Are you using native Shiro sessions or web session proxy? > If using native sessions, have you set things up according to this > documentation? > http://shiro.apache.org/session-management.html > <http://shiro.apache.org/session-management.html> > section “session validation & scheduling” > >> On May 4, 2016, at 3:11 PM, Richard Wheeldon <[email protected] >> <mailto:[email protected]>> wrote: >> >> I’ve done some more digging with this, I’ve implemented a SessionListener as >> well and it appears that the sessions aren’t being invalidated either. I >> basically looks like the logout isn’t working at all. Can someone please >> check I’m not doing something stupid: >> 1. Am I correct in assuming that LogoutFilter, Subject.logout() or >> similar actions should result in an invalidated session? >> 2. Should I expect to get an onLogout event in a web application or is >> there some extra magic I’m missing? >> >> Any help would be much appreciated as I’m still totally stumped on what I >> expected to be a relatively simple exercise, >> >> Thanks, >> >> Richard >> >> From: Richard Wheeldon [mailto:[email protected] >> <mailto:[email protected]>] >> Sent: Monday, April 4, 2016 4:29 PM >> To: [email protected] <mailto:[email protected]> >> Subject: Recording logouts using AuthenticationListener >> >> Hi, >> >> I’m building a Web app using Shiro as a basic for authentication and RBAC. >> I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a >> form authentication filter and a log out filter tied into the default >> security manager. All this is working as expected. No probs. >> /login.jsp = formAuth >> /logout = logoutFilter >> /** = formAuth >> >> Now I’m trying to get a custom log of login / logout actions working using >> AuthenticationListener and am running into some problems. I’ve added my >> custom listener to securityManager.authenticator.authenticationListeners and >> it all loads fine. Logins are successfully recorded, I can get the username >> from the token’s principal. Login failures work in the same way. So far so >> good. >> securityManager.authenticator.authenticationListeners = $auditLogAuthListener >> >> But when I go to logout, the listener never gets called. AFAICT, this is >> because onLogout only ever gets called if there is a non-empty list of >> principals (see DefaultSecurityManager.logout) but the principals list never >> seems to get set. >> >> Has anyone got this to work who could give me a pointer or two to what I’m >> doing wrong? It would be much appreciated, >> >> Thanks, >> >> Richard
