----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/55890/#review163027 -----------------------------------------------------------
Form this page (https://shiro.apache.org/session-management.html): "By default, Shiro’s SessionManager implementations default to a 30 minute session timeout. That is, if any Session created remains idle (unused, where its lastAccessedTime isn’t updated) for 30 minutes or more, the Session is considered expired and will not be allowed to be used anymore. You can set the default SessionManager implementation’s globalSessionTimeout property to define the default timeout value for all sessions. For example, if you wanted the timeout to be an hour instead of 30 minutes." Given that wouldn't a better fix be to update lastAccessedTime as apposed to never expiring a session? - Swapnil Bawaskar On Jan. 25, 2017, 7:01 p.m., Kirk Lund wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/55890/ > ----------------------------------------------------------- > > (Updated Jan. 25, 2017, 7:01 p.m.) > > > Review request for geode, Jinmei Liao, Jared Stewart, Kevin Duling, and > Swapnil Bawaskar. > > > Bugs: GEODE-2354 > https://issues.apache.org/jira/browse/GEODE-2354 > > > Repository: geode > > > Description > ------- > > Use of security-manager results in > org.apache.shiro.session.UnknownSessionExceptions being thrown from protected > operations after 30 minutes idle (the default global session timeout in > Apache Shiro). > > GFSH connects to the JMX Manager but this connection has no timeout even if > the cluster is secured. So after 30 minutes of being idle, GFSH will remain > connected to the JMX Manager but all commands that are protected will result > in an UnknownSessionException. > > The changes in the change set simply set the global session timeout to > MAX_VALUE if the user has specified a security-manager. If the user specifies > security-shiro-init (for a custom shiro.ini) then we leave the global session > configuration to the user's shiro.ini. > > > Diffs > ----- > > > geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java > 73d051f834425f1cf2c2164925f890bf42d36a9d > > Diff: https://reviews.apache.org/r/55890/diff/ > > > Testing > ------- > > precheckin in progress > > > Thanks, > > Kirk Lund > >
