> On Jan. 25, 2017, 9:59 p.m., Swapnil Bawaskar wrote: > > Form this page (https://shiro.apache.org/session-management.html): > > "By default, Shiro’s SessionManager implementations default to a 30 minute > > session timeout. That is, if any Session created remains idle (unused, > > where its lastAccessedTime isn’t updated) for 30 minutes or more, the > > Session is considered expired and will not be allowed to be used anymore. > > You can set the default SessionManager implementation’s > > globalSessionTimeout property to define the default timeout value for all > > sessions. For example, if you wanted the timeout to be an hour instead of > > 30 minutes." > > > > Given that wouldn't a better fix be to update lastAccessedTime as apposed > > to never expiring a session?
We'd have to create a thread that would need to wake up periodically before the session would expire and have that thread update lastAccessedTime. The thread would have to be located inside the server process. It would be more work. I'm more tempted to put this change in and then review the problem with Jinmei or others to see if we should change the fix. - Kirk ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/55890/#review163027 ----------------------------------------------------------- On Jan. 25, 2017, 7:01 p.m., Kirk Lund wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/55890/ > ----------------------------------------------------------- > > (Updated Jan. 25, 2017, 7:01 p.m.) > > > Review request for geode, Jinmei Liao, Jared Stewart, Kevin Duling, and > Swapnil Bawaskar. > > > Bugs: GEODE-2354 > https://issues.apache.org/jira/browse/GEODE-2354 > > > Repository: geode > > > Description > ------- > > Use of security-manager results in > org.apache.shiro.session.UnknownSessionExceptions being thrown from protected > operations after 30 minutes idle (the default global session timeout in > Apache Shiro). > > GFSH connects to the JMX Manager but this connection has no timeout even if > the cluster is secured. So after 30 minutes of being idle, GFSH will remain > connected to the JMX Manager but all commands that are protected will result > in an UnknownSessionException. > > The changes in the change set simply set the global session timeout to > MAX_VALUE if the user has specified a security-manager. If the user specifies > security-shiro-init (for a custom shiro.ini) then we leave the global session > configuration to the user's shiro.ini. > > > Diffs > ----- > > > geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java > 73d051f834425f1cf2c2164925f890bf42d36a9d > > Diff: https://reviews.apache.org/r/55890/diff/ > > > Testing > ------- > > precheckin in progress > > > Thanks, > > Kirk Lund > >
