SessionID problem

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SessionID problem

Bytor99999
I have no idea how I can fix this or why this is happening.

Environment. I have a web app using Spring MVC and Shiro. I am providing REST apis for logging in and out as well as getting an accessToken. Basically created a Poor man's SSO and OAuth provider.

This is my exception


javax.servlet.ServletException: Filtered request failed.
        org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:384)
        org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
root cause

java.lang.IllegalArgumentException: The org.apache.shiro.session.mgt.DelegatingSession implementation requires that the SessionKey argument returns a non-null sessionId to support the Session.getId() invocations.
        org.apache.shiro.session.mgt.DelegatingSession.<init>(DelegatingSession.java:70)
        org.apache.shiro.web.session.mgt.DefaultWebSessionManager.createExposedSession(DefaultWebSessionManager.java:166)
        org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession(AbstractNativeSessionManager.java:98)
        org.apache.shiro.mgt.SessionsSecurityManager.getSession(SessionsSecurityManager.java:125)
        org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession(DefaultSecurityManager.java:456)
        org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:442)
        org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:338)
        org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
        org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
        org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
        org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
        org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)


I have customized a Cache and CacheManager as well as a custom Realm. My Spring configuration is basically what I found in the docs.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

   
    <bean id="ourRealm" class="com.blah.account.security.shiro.realm.OurRealm">
        <property name="credentialsMatcher" ref="hashMatcher"/>
    </bean>

    <bean id="hashMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
        <property name="hashAlgorithmName" value="Sha256"/>
        <property name="hashIterations" value="1024"/>
        <property name="storedCredentialsHexEncoded" value="false"/>
    </bean>

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager"/>
        <property name="loginUrl" value="/login"/>
        <property name="successUrl" value="/"/>
        <property name="unauthorizedUrl" value="/registration"/>

        <property name="filterChainDefinitions">
            <value>
                # some example chain definitions:
                /admin/** = authc, roles[admin]
                /docs/** = authc, perms[document:read]
                /** = authc
                # more URL-to-FilterChain definitions here
            </value>
        </property>
    </bean>

    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
       
        <property name="realm" ref="ourRealm"/>
        <property name="cacheManager" ref="cacheManager"/>
        <property name="sessionManager" ref="sessionManager"/>
    </bean>

    <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
        <property name="deleteInvalidSessions" value="true"/>
        <property name="cacheManager" ref="cacheManager"/>
       
        <property name="globalSessionTimeout" value="1800000"/>
        <property name="sessionDAO" ref="sessionDAO"/>
    </bean>

    <bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
        <property name="cacheManager" ref="cacheManager"/>
    </bean>


    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

   
   
   
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
        <property name="arguments" ref="securityManager"/>
    </bean>

    <bean id="cacheManager" class="com.blah.account.security.shiro.cache.BlahCacheManager">
        <property name="cache" ref="threadLocalCache"/>
    </bean>

    <bean id="threadLocalCache" class="com.blah.account.security.shiro.cache.ThreadLocalDelegatingCache">
        <property name="wrappedCache" ref="cache"/>
    </bean>

    <bean id="cache" class="com.blah.account.security.shiro.cache.HDPokerCache"/>

</beans>

Thanks. I would type more, but the wife is calling me for dinner.

Thanks

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

Bytor99999
I resolved it. Basically I didn't follow the instructions correctly and put in a bean that specifically had a comment that said, DO NOT do this in a web environment.

 <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">

But I did anyway, and now I removed it and I get beyond it. Now I am getting another error when trying to "cache" the Session into Redis.

redis.clients.jedis.exceptions.JedisDataException: ERR Protocol error: invalid bulk length

But that is a Redis problem not Shiro that I will resolve.

Thansk

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

Bytor99999
Actually, this isn't resolved.

It happens over and over again. It is getting a bit frustrating.

I can have it happen where I login, then logout, and Bam error. This won't work in production. We can't have users getting this error every time they logout.

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

nhhockeyplayer
Sounds like your session is getting invalidated somewhere?
just a possible.
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

nhhockeyplayer
In reply to this post by Bytor99999
Try tweakin your filter chain defs

remove that last one " /** = authc  "

and see what it does.

I am trying to shake out mine

Havent gotten to work either
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

Bytor99999
Wow, I am sorry I didn't see that you had responded hockeyplayer. But thanks. I actually had changed it recently to

/** = anon

But I am still getting the error. Now I get it all the time, or I should say I can replicate it.

So I login and everything is fine. Got a session cookie, etc. Then I just click the logout link, and the first time it is fine. Then login again, then click logout link again and error pops up.

Since I have made changes to my filter urls, (before I had never touched them, they were just copied/pasted from the Shiro documentations. Here are the new urls

<property name="filterChainDefinitions">
            <value>

                # some example chain definitions:
                /login = anon
                /logout = authc
                /admin/** = authc, roles[admin]
                /account/** = authc, roles[player]
                /** = anon
                # more URL-to-FilterChain definitions here
            </value>
        </property>

Now I am going to try your suggestion Hockey.

Thanks

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

Bytor99999
In reply to this post by nhhockeyplayer
OK, so removing that last line

/** = anon

Now makes the error occur everytime you click the logout link.

But if I just refresh the page, it goes away. But no user is going to use a website where you have to tell them. Oh, when you logout, make sure you refresh the page when you want to log back in. ;)

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

Bytor99999
OK, just call me an idiot. I am on a Mac and testing/using Safari. Safari has this "private browsing" option. It was turned on. So of course it would happen because while in private browsing it won't store cookies.

So turning off private browsing, I don't see the error after logging in and out at least 5 times in a row (I didn't go further than that, but assume it will all still work)

Well, now updated from that last sentence. It can work over and over again if I go at a really slow speed in clicking the login then going and clicking on the logout link. If I give the page 4 seconds after logging in, to then click the logout link that shows up, then it will NOT show the error. If I click it as soon as the page appears with the logout link, then I see the exception.

Adding or removing that last line
/** = anon

Had no impact at all on it.

Also setting or not setting the cacheManager property on my Realm bean had a slight impact on it. With it being set it happens more often. Not all the time. Without it, it still happens but a bit less.

So I have run out of ideas. I have found the one that will be impacted the least and will stick with that until someone has some idea of a solution.

One time that I can guarantee it will always happens is if I login, then shut down the server, start the server back up and then refresh the page.

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

teemoer
Hey buddy, now it is 2017 year, have you solved this problem successfully in
the last four years? Because I have encountered this problem now, I would
like to seek your help, thank you very much


<http://shiro-user.582556.n2.nabble.com/file/t396522/e38a7f8bgy1fl4oe6e3nyj21hk0te7bv.jpg>



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: SessionID problem

Brian Demers
Please start a new thread with your question.  You can reference this one if you think your question is similar

On Thu, Nov 2, 2017 at 10:14 PM, teemoer <[hidden email]> wrote:
Hey buddy, now it is 2017 year, have you solved this problem successfully in
the last four years? Because I have encountered this problem now, I would
like to seek your help, thank you very much


<http://shiro-user.582556.n2.nabble.com/file/t396522/e38a7f8bgy1fl4oe6e3nyj21hk0te7bv.jpg>



--
Sent from: http://shiro-user.582556.n2.nabble.com/