Thanks for the advice. After much further faffing about I eventually figured out the problem – the cookie wasn’t being sent to the logout page. A quick one-liner and it’s all good:
sessionManager.sessionIdCookie.path = / If anyone else runs into the problem, check the cookie being sent to the logout URL – the redirect will still work and it’ll appear like it’s doing the right thing – until you examine the session state which never gets cleared because it doesn’t know which session to clear. Regards, Richard From: Lenny Primak [mailto:[email protected]] Sent: Wednesday, May 4, 2016 10:59 PM To: [email protected] Subject: Re: Recording logouts using AuthenticationListener Yes, logout does work correctly with Shiro native sessions, and you are correct that session timeout isn’t pertinent in this particular case. I’ve never used logoutFilter directly, so I would start by looking at it’s source code and seeing if it does what you expect it to do. On May 4, 2016, at 4:55 PM, Richard Wheeldon <[email protected] <mailto:[email protected]> > wrote: Many thanks for the response. I’ve tried debugging it – that’s how I discovered that the principals list was empty in the first instance but I’m not a Shiro expert and I’m rather hazy on what’s supposed to be setting it in the first place. Any ideas? Whilst it’s perfectly possible that I’ve found a bug I very much doubt it’s the primary cause of my current problems – it would be a huge security hole if something like logout didn’t work. I’m trying to use the native Shiro sessions with a simple MemorySessionDAO. The plan is to put the session info into RDS eventually but I’m trying to keep things simple until I get the basic stuff (i.e. login and logout) working. I haven’t ruled out the possibility that the native session handling is getting in the way but AFAICT it’s not. The cookies passed back and forwards are all of the Shiroesque form: JSESSIONID=44256c7e-dd9e-4614-adf9-205f581fc695; _ga=GA1.1.775913481.1456225578 I’ve read the link you suggested but I’m not sure the section you refer to is entirely pertinent. If I manually logout, surely that should invalidate the current session immediately? Or have I misunderstood? Thanks, Richard From: Lenny Primak [mailto:[email protected]] Sent: Wednesday, May 4, 2016 10:14 PM To: [email protected] <mailto:[email protected]> Subject: Re: Recording logouts using AuthenticationListener Have you tried to debug it? Maybe you have found a bug. Are you using native Shiro sessions or web session proxy? If using native sessions, have you set things up according to this documentation? <http://shiro.apache.org/session-management.html> http://shiro.apache.org/session-management.html section “session validation & scheduling” On May 4, 2016, at 3:11 PM, Richard Wheeldon < <mailto:[email protected]> [email protected]> wrote: I’ve done some more digging with this, I’ve implemented a SessionListener as well and it appears that the sessions aren’t being invalidated either. I basically looks like the logout isn’t working at all. Can someone please check I’m not doing something stupid: 1. Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session? 2. Should I expect to get an onLogout event in a web application or is there some extra magic I’m missing? Any help would be much appreciated as I’m still totally stumped on what I expected to be a relatively simple exercise, Thanks, Richard From: Richard Wheeldon [ <mailto:[email protected]> mailto:[email protected]] Sent: Monday, April 4, 2016 4:29 PM To: <mailto:[email protected]> [email protected] Subject: Recording logouts using AuthenticationListener Hi, I’m building a Web app using Shiro as a basic for authentication and RBAC. I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs. /login.jsp = formAuth /logout = logoutFilter /** = formAuth Now I’m trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I’ve added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token’s principal. Login failures work in the same way. So far so good. securityManager.authenticator.authenticationListeners = $auditLogAuthListener But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set. Has anyone got this to work who could give me a pointer or two to what I’m doing wrong? It would be much appreciated, Thanks, Richard
