[
https://issues.apache.org/jira/browse/GEODE-2354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15838903#comment-15838903
]
Kirk Lund commented on GEODE-2354:
----------------------------------
Options for fixing this:
1) increase globalSessionTimeout indefinitely
(https://reviews.apache.org/r/55890/)
2) change IntegratedSecurityService.authorize to catch UnknownSessionException
and re-authenticate
The problem with #2 is we don't currently store the credentials to
re-authenticate with. This would require keeping a strong reference to
instances of GeodeAuthenticationToken which contains a reference to the
Properties containing the credentials. We pass the token to Shiro and that's
the last we use the token.
> Use of security-manager results in UnknownSessionExceptions after 30 minutes
> idle
> ---------------------------------------------------------------------------------
>
> Key: GEODE-2354
> URL: https://issues.apache.org/jira/browse/GEODE-2354
> Project: Geode
> Issue Type: Bug
> Components: security
> Reporter: Kirk Lund
> Assignee: Kirk Lund
>
> If the User specifies a SecurityManager with security-manager, all authorized
> operations start to fail with UnknownSessionExceptions after 30 minutes idle
> which is the default globalSessionTimeout in Apache Shiro.
> Workaround: specify security-shiro-init in gemfire.properties and configure
> everything via Shiro within a shiro.ini.
> Fixing this will require changes to IntegratedSecurityService to set the
> globalSessionTimeout higher or to re-authenticate after a timeout.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
