Hi, I have this issue with shiro on Multi-Threaded Servers like Tomcat with Http-NIO Enabled, where I keep getting same session Id's for different Users when I use SecurityUtils.getSubject() to acquire the current executing user. SecurityUtils.getSubject() uses ThreadContext inside and I guess the subject is getting shared across threads as I am Using TomEE With Http-Nio and threads are re-used across requests. I did debug to find that SecurityUtils.getSubject().IsAuthenticated() returns true for a new request before even Authenticating him with login(token). The only workaround I found out was build the subject with SubjectBuilder. Subject currentUser = new Subject.Builder().buildSubject();
This would fix the above issue I had with Multi-Threaded Servers. I had discussed the above issue with Brian Demers before. Please find the same below.[SHIRO-613] StoppedSessionException: Session with id has been explicitly stopped. No further interaction under this session is allowed. - ASF JIRA | | | [SHIRO-613] StoppedSessionException: Session with id has been explicitly stopped. No further interaction under this ... | | | I just want to quote the issue with Shiro Community and the possible Workaround as above. Below are the details of Basic Test Case to reproduce the Issue. Server: Any Multi-Threaded Server (Apache Tomee WebProfile).Default Session Manager and a Realm Defined.Get the Subject using SecurityUtils.getSubject() and Login the User with the token.Try Logging in the same user multiple times, Lets say 10 times.Expected Output: 10 Different Session Id's Everytime User logs in.Actual Output: The FIrst 5 requests will emit 5 Different Session Id's and Next 5 Requests will emit the previously emitted session Id's in an undefined order. Regards,Sreenivas Harshith.
