Lenny Primak created SHIRO-512: ---------------------------------- Summary: Race condition in Shiro's web container session timeout handling Key: SHIRO-512 URL: https://issues.apache.org/jira/browse/SHIRO-512 Project: Shiro Issue Type: Bug Components: Authentication (log-in) Affects Versions: 1.2.2, 1.2.3 Reporter: Lenny Primak Priority: Minor
I cannot find anywhere that Shiro uses HttpSessionListener to trap sessionDestroyed event from the container. I believe this is leading to a rare race condition in my application, as Shiro thinks the session is still active, but in reality, the web session has been destroyed. Code: SecurityUtils.getSubject().getPrincipal(); Relevant bit of stack trace: Caused by: org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: PWC2778: getAttribute: Session already invalidated at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148) at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149) Link to the mailing list thread: http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html -- This message was sent by Atlassian JIRA (v6.2#6252)