Hi Les,
Even those I specified configuration I nweb.xml as below:
[main]
realmA = com.xymz.abc.imp.myDAo
securityManager =
org.apache.shiro.web.DefaultWebSecurityManager
sessionManager =
org.apache.shiro.web.session.DefaultWebSessionManager
sessionManager.globalSessionTimeout = 300000
securityManager.sessionMode = native
securityManager.sessionManager = $sessionManager
When I debug into deeper I found the root as below
Web.xml configured securityManger is replacing by default
securityManager which was created in createSecurityManagerForSection
method of IniConfiguration class.
In this method following snippet of code is there as defaults
defaults.put("securityManager", securityManager);
//convenient alias:
defaults.put("sm", securityManager);
SecurityManager created by key "securityManager" is replacing by key
"sm" by following line
if (value instanceof RealmSecurityManager) {
securityManager = (RealmSecurityManager) value;
}
If I add following code along with above web.xml configuration then it
is configuring correctly.
sm =
org.apache.shiro.web.DefaultWebSecurityManager
sm.sessionMode = native
sm.sessionManager = $sessionManager
Both the default securityMangers are replaced by web.xml configured
values.
May I know what is the purpose of defaults.put("sm" ,"securityManager");
Could you please tell us how to tell the end user that session expired.
Thanks
Balajee
________________________________
From: [email protected] [mailto:[email protected]] On
Behalf Of Les Hazlewood <[email protected]>
Sent: Tuesday, August 25, 2009 4:43 PM
To: [email protected]
Subject: Re: Losing session
Hi Mad,
Wait until tomorrow when hopefully the trunk is back to being stable
again - then you should try the latest trunk as I recall a session
timeout bug being fixed early last week.
- Les
On Tue, Aug 25, 2009 at 10:14 AM, mad rug wrote:
> I'm still troubled with this...
> I keep losing my session after 30 minutes (default timeout), no matter
the
> user activity. I need to fix this to allow session expiration after
some
> time of inactivity, and present nice messages when the session
expires.
> What's the way to do this?
> Thanks!
>
> On Fri, Aug 21, 2009 at 12:57 PM, mad rug wrote:
>>
>> Well, I might try it then... weekend is coming, and I can get what I
had
>> to do until Monday, and still fix this... I hope :-P
>> Other notes:
>> - I thought that I may change the sessionValidationInterval property
to a
>> lower value so the session gets invalidated quickly, but I couldn't
find it
>> on DefaultWebSecurityManager, even though it
>> extends AbstractValidatingSessionManager;
>> - I read about autoCreateSessionAfterInvalidation, that it is
defaulted to
>> true, I got a doubt: if the session is replaced by a new one, like I
guess
>> it is happening in my case, then this is merely a dev convenience to
let the
>> user log itself using the already available new session, but all the
data
>> stored in the previous session is gone, is that right?
>> I implemented a SessionListener, but I'm now unsure how it will help
me.
>> First, it does notify me on session timeout, but all that I get is
the
>> expired session... I want to notify the user with some 'session
expired,
>> login again' message, but an expired session won't help me on that, I
guess.
>> How can I do it?
>> Second, I used the listener to set my 10s timeout by code to test
>> expiration, and it expires my session after the 10s, but no matter if
I'm
>> inactive or performing actions and navigating around my app all the
time. Is
>> this right, or is that one of your fixed bugs?
>> Thanks again Les. You've been invaluable to get my application
working!
>>
>> On Fri, Aug 21, 2009 at 12:23 PM, Les Hazlewood
>> wrote:
>>>
>>> In that case you will want the latest snapshot version - now that I
>>> think about it, I think one of those bugs did affect session
timeout.
>>>
>>> On Fri, Aug 21, 2009 at 11:07 AM, mad rug wrote:
>>> > Les,
>>> > I'm using native session (
>>> > value="shiro"/>). For
>>> > sure I'm not with the latest version of shiro... I'm using this
>>> > snapshot for
>>> > over two months. As you say it is unlikely that it is related to
the
>>> > last
>>> > fixes, I'll try to keep this version, unless things do not get in
line.
>>> > I just tested global timeout (
>>> > value="10000"/> ), but the session is not expiring as fast as I
>>> > expected...
>>> > it lasted minutes. Is a number as low as this accepted? I used 10s
for
>>> > testing... I plan to use something around 15 minutes.
>>> > I use no listeners so far, but I guess they will do the job. As I
said,
>>> > I
>>> > store some user data on the session (name, nick, company it works
>>> > for...)
>>> > and this data is put on the header of every page, so if the
listener is
>>> > called the first time the expired session is accessed, it will be
fine.
>>> > I'll try that right now... any problem, I'll bother you again! ;-)
>>> > Thanks again!
>>> > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood
>>> > wrote:
>>> >>
>>> >> Hi Mad,
>>> >>
>>> >> Are you using standard ServletContainer sessions? or Shiro's
native
>>> >> sessions?
>>> >>
>>> >> If using native sessions, ensure you're using the latest version
of
>>> >> Shiro - a few session-related bugs were fixed over the last
month. I
>>> >> doubt they would be related to what you're seeing, but at least
its
>>> >> worth a try.
>>> >>
>>> >> You can also set the global session timeout (for all sessions)
setting
>>> >> sessionManager.globalSessionTimeout = desiredMilliseconds.
>>> >>
>>> >> Also, you could implement a
org.apache.shiro.session.SessionListener
>>> >> to listen to session lifecycle events
>>> >> (securityManager.setSessionListeners(Collection
>>> >> listeners); ). Note however that session validation (for
expiration)
>>> >> is done lazily: you won't receive an 'expiredSession'
notification
>>> >> the exact instant it expires. You'll receive the notification if
an
>>> >> expired session is ever accessed or the next time Shiro's session
>>> >> validator executes (configurable - defaults to once per hour I
think).
>>> >>
>>> >> Finally, if you want to know about logins and logouts, don't use
a
>>> >> SessionListener for this - use an
>>> >> org.apache.shiro.authc.AuthenticationListener
>>> >>
>>> >>
>>> >> (securityManager.setAuthenticationListeners(Collection
>>> >> listeners); ).
>>> >>
>>> >> Regards,
>>> >>
>>> >> Les
>>> >>
>>> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug wrote:
>>> >> > Hi
>>> >> > I'm having some problem with my application. I use Shiro in a
Spring
>>> >> > MVC
>>> >> > application much like the sample included with Shiro. I use
Shiro
>>> >> > session,
>>> >> > and I store some logged user data in it (user ID, company that
user
>>> >> > belongs
>>> >> > to, etc), but sometimes my app seem to be losing its session,
like a
>>> >> > timeout, but without long inactive periods. I notice it quickly
>>> >> > because
>>> >> > my
>>> >> > header pages contain the name of the user and its company name,
and
>>> >> > they
>>> >> > suddenly are gone, even though I remain authenticated
>>> >> > (
>>> >> > still returns the user principal).
>>> >> > I don't know where I am missing some config to make the session
last
>>> >> > longer... how can I handle it?
>>> >> > Moreover, does Shiro provide any facility to handle session
timeout,
>>> >> > and
>>> >> > maybe redirect to some warning page?
>>> >> > Thanks!
>>> >
>>> >
>>
>
>
