Issue with Shiro on Multi Threaded Servers. Same Session Id's are generated for Different Users

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Issue with Shiro on Multi Threaded Servers. Same Session Id's are generated for Different Users

sreenivas harshith
Hi,


I have this issue with shiro on Multi-Threaded Servers like Tomcat with Http-NIO Enabled, where I keep getting same session Id's for different Users when I use SecurityUtils.getSubject() to acquire the current executing user. SecurityUtils.getSubject() uses ThreadContext inside and I guess the subject is getting shared across threads as I am Using TomEE With Http-Nio and threads are re-used across requests. I did debug to find that SecurityUtils.getSubject().IsAuthenticated() returns true for a new request before even Authenticating him with login(token). The only workaround I found out was build the subject with SubjectBuilder. 

 Subject currentUser = new Subject.Builder().buildSubject();


This would fix the above issue I had with Multi-Threaded Servers.

I had discussed the above issue with Brian Demers before. Please find the same below.



I just want to quote the issue with Shiro Community and the possible Workaround as above. Below are the details of Basic Test Case to reproduce the Issue.

Server: Any Multi-Threaded Server (Apache Tomee WebProfile).
Default Session Manager and a Realm Defined.
Get the Subject using SecurityUtils.getSubject() and Login the User with the token.
Try Logging in the same user multiple times, Lets say 10 times.
Expected Output: 10 Different Session Id's Everytime User logs in.
Actual Output: The FIrst 5 requests will emit 5 Different Session Id's and Next 5 Requests will emit the previously emitted session Id's in an undefined order.



Regards,
Sreenivas Harshith.





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with Shiro on Multi Threaded Servers. Same Session Id's are generated for Different Users

sreenivas harshith
Forgot to mention I used Jax-Rs Restful Services 

Regards,
Sreenivas Harshith.


On Tuesday, August 1, 2017 7:20 PM, sreenivas harshith <[hidden email]> wrote:


Hi,


I have this issue with shiro on Multi-Threaded Servers like Tomcat with Http-NIO Enabled, where I keep getting same session Id's for different Users when I use SecurityUtils.getSubject() to acquire the current executing user. SecurityUtils.getSubject() uses ThreadContext inside and I guess the subject is getting shared across threads as I am Using TomEE With Http-Nio and threads are re-used across requests. I did debug to find that SecurityUtils.getSubject().IsAuthenticated() returns true for a new request before even Authenticating him with login(token). The only workaround I found out was build the subject with SubjectBuilder. 

 Subject currentUser = new Subject.Builder().buildSubject();


This would fix the above issue I had with Multi-Threaded Servers.

I had discussed the above issue with Brian Demers before. Please find the same below.



I just want to quote the issue with Shiro Community and the possible Workaround as above. Below are the details of Basic Test Case to reproduce the Issue.

Server: Any Multi-Threaded Server (Apache Tomee WebProfile).
Default Session Manager and a Realm Defined.
Get the Subject using SecurityUtils.getSubject() and Login the User with the token.
Try Logging in the same user multiple times, Lets say 10 times.
Expected Output: 10 Different Session Id's Everytime User logs in.
Actual Output: The FIrst 5 requests will emit 5 Different Session Id's and Next 5 Requests will emit the previously emitted session Id's in an undefined order.



Regards,
Sreenivas Harshith.







Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with Shiro on Multi Threaded Servers. Same Session Id's are generated for Different Users

sreenivas harshith
Full Test case:

Server: Any Multi-Threaded Server (Apache Tomee WebProfile).
Default Session Manager and a Realm Defined.
Get the Subject using SecurityUtils.getSubject() and Login the User with the token.
Try Logging in the same user multiple times, Lets say 10 times.
Expected Output: 10 Different Session Id's Everytime User logs in.
Actual Output: The FIrst 5 requests will emit 5 Different Session Id's and Next 5 Requests will emit the previously emitted session Id's in an undefined order.
Jax-Rs Restful Services 
I had increased Number of Threads in Tomcat Server.xml.


On Tuesday, August 1, 2017 7:23 PM, sreenivas harshith <[hidden email]> wrote:


Forgot to mention I used Jax-Rs Restful Services 

Regards,
Sreenivas Harshith.


On Tuesday, August 1, 2017 7:20 PM, sreenivas harshith <[hidden email]> wrote:


Hi,


I have this issue with shiro on Multi-Threaded Servers like Tomcat with Http-NIO Enabled, where I keep getting same session Id's for different Users when I use SecurityUtils.getSubject() to acquire the current executing user. SecurityUtils.getSubject() uses ThreadContext inside and I guess the subject is getting shared across threads as I am Using TomEE With Http-Nio and threads are re-used across requests. I did debug to find that SecurityUtils.getSubject().IsAuthenticated() returns true for a new request before even Authenticating him with login(token). The only workaround I found out was build the subject with SubjectBuilder. 

 Subject currentUser = new Subject.Builder().buildSubject();


This would fix the above issue I had with Multi-Threaded Servers.

I had discussed the above issue with Brian Demers before. Please find the same below.



I just want to quote the issue with Shiro Community and the possible Workaround as above. Below are the details of Basic Test Case to reproduce the Issue.

Server: Any Multi-Threaded Server (Apache Tomee WebProfile).
Default Session Manager and a Realm Defined.
Get the Subject using SecurityUtils.getSubject() and Login the User with the token.
Try Logging in the same user multiple times, Lets say 10 times.
Expected Output: 10 Different Session Id's Everytime User logs in.
Actual Output: The FIrst 5 requests will emit 5 Different Session Id's and Next 5 Requests will emit the previously emitted session Id's in an undefined order.



Regards,
Sreenivas Harshith.









Loading...