Session expires after log in

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Session expires after log in

Erick Barreto
Hi all,

I'm using Shiro in a project with JSF2 + CDI + Primefaces (deployed on WildFly 10). I'm configuring the whole security environment with Shiro only.

The problem i'm facing is this:

When the user logs in, the session automatically expires and i'm not able to get the session from the Subject (Subject.getSession) or from FacesContext. They both return null.

I was able to work around by changing  javax.faces.STATE_SAVING_METHOD to CLIENT and now i'm able to log in. However, in any navigation, when i go to another page, the Session objects returns null like it was happening before.

Enabling the log, i found this exception which, by the way, happens in both cases

DEBUG [default task-13] (AbstractShiroFilter.java:411) - No FilterChainResolver configured.  Returning original FilterChain.
DEBUG [default task-14] (SimpleCookie.java:389) - Found 'JSESSIONID' cookie value [308e4bee-23f9-4ab1-8a43-64e1e3950445]
DEBUG [default task-14] (DefaultSecurityManager.java:447) - Resolved SubjectContext context session is invalid.  Ignoring and creating an anonymous (session-less) Subject instance.
org.apache.shiro.session.UnknownSessionException: There is no session with id [308e4bee-23f9-4ab1-8a43-64e1e3950445.sesco11]
        at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
        at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
        at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:148)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession(AbstractNativeSessionManager.java:140)
        at org.apache.shiro.mgt.SessionsSecurityManager.getSession(SessionsSecurityManager.java:156)
        at org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession(DefaultSecurityManager.java:456)
        at org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:442)
        at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:338)
        at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
        at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)


What's weird is the fact Shiro is calling AbstractSessionDAO from DefaulSessionManager, but Shiro.ini is configured with DefaultWebSessionManager and EnterpriseCacheSessionDAO.

[main]

authc.loginUrl = /login.xhtml

customRealm = xxxx.xxx.xxx.xxx.CustomRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

authenticator = xxx.xxx.xxx.CustomAuthenticator

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO

securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager
securityManager.realms = $customRealm
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 1800000
securityManager.authenticator = $authenticator
sessionManager.sessionDAO = $sessionDAO

ssl.enabled = false

[users]

[roles]

[urls]


Am i missing something in the configuration files? Maybe Shiro did not configure itself as described in shiro.ini? Maybe i'm losing the sessions or they are invalidating.

Thank you,
Erick
Reply | Threaded
Open this post in threaded view
|

Re: Session expires after log in

Brian Demers

On Thu, Feb 2, 2017 at 2:23 PM, Erick Barreto <[hidden email]> wrote:
Hi all,

I'm using Shiro in a project with JSF2 + CDI + Primefaces (deployed on
WildFly 10). I'm configuring the whole security environment with Shiro only.

The problem i'm facing is this:

When the user logs in, the session automatically expires and i'm not able to
get the session from the Subject (Subject.getSession) or from FacesContext.
They both return null.

I was able to work around by changing  javax.faces.STATE_SAVING_METHOD to
CLIENT and now i'm able to log in. However, in any navigation, when i go to
another page, the Session objects returns null like it was happening before.

Enabling the log, i found this exception which, by the way, happens in both
cases

DEBUG [default task-13] (AbstractShiroFilter.java:411) - No
FilterChainResolver configured.  Returning original FilterChain.
DEBUG [default task-14] (SimpleCookie.java:389) - Found 'JSESSIONID' cookie
value [308e4bee-23f9-4ab1-8a43-64e1e3950445]
DEBUG [default task-14] (DefaultSecurityManager.java:447) - Resolved
SubjectContext context session is invalid.  Ignoring and creating an
anonymous (session-less) Subject instance.
org.apache.shiro.session.UnknownSessionException: There is no session with
id [308e4bee-23f9-4ab1-8a43-64e1e3950445.sesco11]
        at
org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
        at
org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
        at
org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
        at
org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
        at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:148)
        at
org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession(AbstractNativeSessionManager.java:140)
        at
org.apache.shiro.mgt.SessionsSecurityManager.getSession(SessionsSecurityManager.java:156)
        at
org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession(DefaultSecurityManager.java:456)
        at
org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:442)
        at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:338)
        at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
        at
org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
        at
org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
        at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
        at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)


What's weird is the fact Shiro is calling AbstractSessionDAO from
DefaulSessionManager, but Shiro.ini is configured with
DefaultWebSessionManager and EnterpriseCacheSessionDAO.

[main]

authc.loginUrl = /login.xhtml

customRealm = xxxx.xxx.xxx.xxx.CustomRealm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

authenticator = xxx.xxx.xxx.CustomAuthenticator

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO

securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager
securityManager.realms = $customRealm
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 1800000
securityManager.authenticator = $authenticator
sessionManager.sessionDAO = $sessionDAO

ssl.enabled = false

[users]

[roles]

[urls]


Am i missing something in the configuration files? Maybe Shiro did not
configure itself as described in shiro.ini? Maybe i'm losing the sessions or
they are invalidating.

Thank you,
Erick




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Session-expires-after-log-in-tp7581491.html
Sent from the Shiro User mailing list archive at Nabble.com.