SessionListeners can only be invoked if using Shiro's 'native' sessions. If you use the servlet container sessions (the default setting), there is no way Shiro can know about session events since there is nothing in the servlet specification that allows for this. Session events are a shiro-specific feature that we can offer in our native session implementation.
To enable native sessions (assuming you're using INI in web.xml): [main] securityManager.sessionMode = native [filters] ... However, your use case surfaced something that we haven't accounted for in INI configuration - lists/sets/maps. That is, ideally, you'd want to do something like this: securityManager.sessionManager.sessionListeners = [$listener1, $listener2, ..., $listenerN] We don't have the ability to translate the [...] notation into a list/array yet. Could you please open a Jira issue for this so we can make it work for 1.0? In the meantime, you'll have to get a reference to the SecurityManager (SecurityUtils.getSecurityManager()), and call the setListeners method yourself. This will enable your listener (but again, only if using native sessions). Regards, Les On Tue, Apr 20, 2010 at 12:34 PM, David Higginbotham <[email protected]> wrote: > Hi. > > > > I am trying to set up my filter in the web.xml to redirect to the login > page when the session times out. Is there a default configuration for > this ? > > > > I found in the mailing list a discussion about using a SessionListener > to handle the redirect: > > > >> org.apache.shiro.session.SessionListener sessionListener = new >> MySessionListener(); >> securityManager.addSessionListener(yourSessionListener); >> > > I have this coded but the listener does not get invoked. > > > > > DefaultWebSecurityManager man = (DefaultWebSecurityManager) > SecurityUtils.getSecurityManager(); > > man.add(new SessionHandler()); > > > public class SessionHandler implements SessionListener > > { > > > > public SessionHandler() > > { > > if (log.isDebugEnabled()) > > { > > log.debug("SessionHandler:instance."); > > } > > } > > > > �...@override > > public void onExpiration(Session arg0) > > { > > if (log.isDebugEnabled()) > > { > > log.debug("SessionHandler:Shiro Session expired."); > > } > > > > } > > > > �...@override > > public void onStart(Session arg0) > > { > > if (log.isDebugEnabled()) > > { > > log.debug("SessionHandler:Shiro Session started."); > > } > > > > } > > > > �...@override > > public void onStop(Session arg0) > > { > > if (log.isDebugEnabled()) > > { > > log.debug("SessionHandler:Shiro Session stopped."); > > } > > > > } > > > > } > > > > I have this in the web.xml. > > > > [filters] > > shiro.loginUrl = /login.jsp > > roles.unauthorizedUrl = /login.jsp > > perms.unauthorizedUrl = /login.jsp > > > > Is there a filter named shiro.sessionTimeout or something like it that > would help control this ? > > > > Thanks for your help, > > > > David > >
