You need to specify a SessionListener on the SecurityManager instance: org.apache.shiro.session.SessionListener sessionListener = new MySessionListener(); securityManager.addSessionListener(yourSessionListener);
Currently, because there is no setSessionListener method (only for a collection) and collections support does not work in the INI configuration, you can't configure this in web.xml or shiro.ini - it needs to be in code. This is a limitation to the .ini file format and makes it difficult to configure object graphs. The devs have discussed other configuration mechanisms in the past, and we think we'll need a better solution for 1.0. Stay tuned for that. Cheers, Les On Fri, Sep 4, 2009 at 11:05 AM, <[email protected]> wrote: > Hi Mad, > > I have taken new source doe few hours again and build it with mavan, > > Now I am able to set session Timeout but still couldn’t resolve how to get > the notification when session expired on server so that I can send some > message to client. > > I am using flex and java in my application so I have to send a message using > blazeDS to flex when ever session timed out. > > > > @Les: could u please tell how to get some kind of notification when session > timed out . > > > > Thanks > > Balajee > > > > ________________________________ > > From: mad rug <[email protected]> [mailto:mad rug <[email protected]>] > Sent: Friday, September 04, 2009 5:01 PM > To: [email protected] > Subject: Re: Losing session > > > > Balajee, > > > > No, my issue is not fixed yet, but I haven't investigated it further... I > still couldn't get the time to try the latest Shiro snapshot, as I'm with > other tasks in hand. > > > > Is this configuration you posted making the expire timeout work? Are you > using the latest snapshot? > > If this is not the fix, let us know if you find it. As soon as I go back to > this issue and discover something, I'll send a mail. > > > > Regards, > > Mad > > On Fri, Sep 4, 2009 at 11:24 AM, Les Hazlewood <[email protected]> > wrote: > > Please don't use the 'sm' alias. It has been removed from the latest > Shiro snapshot. It was causing problems and it should have never been > enabled - there is no way to specify aliases for anything else in > configuration and this one special case was causing problems, so it > was better to remove it and have the securityManager work like > everything else. > > Just use the 'securityManager' bean name from now on please. > > - Les > > On Fri, Sep 4, 2009 at 9:01 AM, <[email protected]> wrote: >> Hi Les, >> >> Even those I specified configuration I nweb.xml as below: >> >> [main] >> >> realmA = com.xymz.abc.imp.myDAo >> >> securityManager = >> org.apache.shiro.web.DefaultWebSecurityManager >> >> sessionManager = >> org.apache.shiro.web.session.DefaultWebSessionManager >> >> sessionManager.globalSessionTimeout = 300000 >> >> securityManager.sessionMode = native >> >> securityManager.sessionManager = $sessionManager >> >> >> >> When I debug into deeper I found the root as below >> >> Web.xml configured securityManger is replacing by default securityManager >> which was created in createSecurityManagerForSection method of >> IniConfiguration class. >> >> In this method following snippet of code is there as defaults >> >> defaults.put("securityManager", securityManager); >> >> //convenient alias: >> >> defaults.put("sm", securityManager); >> >> >> >> SecurityManager created by key “securityManager” is replacing by key “sm” >> by following line >> >> >> >> if (value instanceof RealmSecurityManager) { >> >> securityManager = (RealmSecurityManager) value; >> >> } >> >> >> >> If I add following code along with above web.xml configuration then it is >> configuring correctly. >> >> >> >> sm = >> org.apache.shiro.web.DefaultWebSecurityManager >> >> sm.sessionMode = native >> >> sm.sessionManager = $sessionManager >> >> >> >> Both the default securityMangers are replaced by web.xml configured >> values. >> >> >> >> May I know what is the purpose of defaults.put(“sm” ,”securityManager”); >> >> >> >> Could you please tell us how to tell the end user that session expired. >> >> >> >> Thanks >> >> Balajee >> >> >> >> ________________________________ >> >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Les Hazlewood <[email protected]> >> Sent: Tuesday, August 25, 2009 4:43 PM >> To: [email protected] >> Subject: Re: Losing session >> >> >> >> Hi Mad, >> >> Wait until tomorrow when hopefully the trunk is back to being stable >> again - then you should try the latest trunk as I recall a session >> timeout bug being fixed early last week. >> >> - Les >> >> On Tue, Aug 25, 2009 at 10:14 AM, mad rug wrote: >>> I'm still troubled with this... >>> I keep losing my session after 30 minutes (default timeout), no matter >>> the >>> user activity. I need to fix this to allow session expiration after some >>> time of inactivity, and present nice messages when the session expires. >>> What's the way to do this? >>> Thanks! >>> >>> On Fri, Aug 21, 2009 at 12:57 PM, mad rug wrote: >>>> >>>> Well, I might try it then... weekend is coming, and I can get what I had >>>> to do until Monday, and still fix this... I hope :-P >>>> Other notes: >>>> - I thought that I may change the sessionValidationInterval property to >>>> a >>>> lower value so the session gets invalidated quickly, but I couldn't find >>>> it >>>> on DefaultWebSecurityManager, even though it >>>> extends AbstractValidatingSessionManager; >>>> - I read about autoCreateSessionAfterInvalidation, that it is defaulted >>>> to >>>> true, I got a doubt: if the session is replaced by a new one, like I >>>> guess >>>> it is happening in my case, then this is merely a dev convenience to let >>>> the >>>> user log itself using the already available new session, but all the >>>> data >>>> stored in the previous session is gone, is that right? >>>> I implemented a SessionListener, but I'm now unsure how it will help me. >>>> First, it does notify me on session timeout, but all that I get is the >>>> expired session... I want to notify the user with some 'session expired, >>>> login again' message, but an expired session won't help me on that, I >>>> guess. >>>> How can I do it? >>>> Second, I used the listener to set my 10s timeout by code to test >>>> expiration, and it expires my session after the 10s, but no matter if >>>> I'm >>>> inactive or performing actions and navigating around my app all the >>>> time. >>>> Is >>>> this right, or is that one of your fixed bugs? >>>> Thanks again Les. You've been invaluable to get my application working! >>>> >>>> On Fri, Aug 21, 2009 at 12:23 PM, Les Hazlewood >>>> wrote: >>>>> >>>>> In that case you will want the latest snapshot version - now that I >>>>> think about it, I think one of those bugs did affect session timeout. >>>>> >>>>> On Fri, Aug 21, 2009 at 11:07 AM, mad rug wrote: >>>>> > Les, >>>>> > I'm using native session ( >>>>> > value="shiro"/>). For >>>>> > sure I'm not with the latest version of shiro... I'm using this >>>>> > snapshot for >>>>> > over two months. As you say it is unlikely that it is related to the >>>>> > last >>>>> > fixes, I'll try to keep this version, unless things do not get in >>>>> > line. >>>>> > I just tested global timeout ( >>>>> > value="10000"/> ), but the session is not expiring as fast as I >>>>> > expected... >>>>> > it lasted minutes. Is a number as low as this accepted? I used 10s >>>>> > for >>>>> > testing... I plan to use something around 15 minutes. >>>>> > I use no listeners so far, but I guess they will do the job. As I >>>>> > said, >>>>> > I >>>>> > store some user data on the session (name, nick, company it works >>>>> > for...) >>>>> > and this data is put on the header of every page, so if the listener >>>>> > is >>>>> > called the first time the expired session is accessed, it will be >>>>> > fine. >>>>> > I'll try that right now... any problem, I'll bother you again! ;-) >>>>> > Thanks again! >>>>> > On Fri, Aug 21, 2009 at 11:32 AM, Les Hazlewood >>>>> > wrote: >>>>> >> >>>>> >> Hi Mad, >>>>> >> >>>>> >> Are you using standard ServletContainer sessions? or Shiro's native >>>>> >> sessions? >>>>> >> >>>>> >> If using native sessions, ensure you're using the latest version of >>>>> >> Shiro - a few session-related bugs were fixed over the last month. >>>>> >> I >>>>> >> doubt they would be related to what you're seeing, but at least its >>>>> >> worth a try. >>>>> >> >>>>> >> You can also set the global session timeout (for all sessions) >>>>> >> setting >>>>> >> sessionManager.globalSessionTimeout = desiredMilliseconds. >>>>> >> >>>>> >> Also, you could implement a org.apache.shiro.session.SessionListener >>>>> >> to listen to session lifecycle events >>>>> >> (securityManager.setSessionListeners(Collection >>>>> >> listeners); ). Note however that session validation (for >>>>> >> expiration) >>>>> >> is done lazily: you won't receive an 'expiredSession' notification >>>>> >> the exact instant it expires. You'll receive the notification if an >>>>> >> expired session is ever accessed or the next time Shiro's session >>>>> >> validator executes (configurable - defaults to once per hour I >>>>> >> think). >>>>> >> >>>>> >> Finally, if you want to know about logins and logouts, don't use a >>>>> >> SessionListener for this - use an >>>>> >> org.apache.shiro.authc.AuthenticationListener >>>>> >> >>>>> >> >>>>> >> (securityManager.setAuthenticationListeners(Collection >>>>> >> listeners); ). >>>>> >> >>>>> >> Regards, >>>>> >> >>>>> >> Les >>>>> >> >>>>> >> On Fri, Aug 21, 2009 at 9:49 AM, mad rug wrote: >>>>> >> > Hi >>>>> >> > I'm having some problem with my application. I use Shiro in a >>>>> >> > Spring >>>>> >> > MVC >>>>> >> > application much like the sample included with Shiro. I use Shiro >>>>> >> > session, >>>>> >> > and I store some logged user data in it (user ID, company that >>>>> >> > user >>>>> >> > belongs >>>>> >> > to, etc), but sometimes my app seem to be losing its session, like >>>>> >> > a >>>>> >> > timeout, but without long inactive periods. I notice it quickly >>>>> >> > because >>>>> >> > my >>>>> >> > header pages contain the name of the user and its company name, >>>>> >> > and >>>>> >> > they >>>>> >> > suddenly are gone, even though I remain authenticated >>>>> >> > ( >>>>> >> > still returns the user principal). >>>>> >> > I don't know where I am missing some config to make the session >>>>> >> > last >>>>> >> > longer... how can I handle it? >>>>> >> > Moreover, does Shiro provide any facility to handle session >>>>> >> > timeout, >>>>> >> > and >>>>> >> > maybe redirect to some warning page? >>>>> >> > Thanks! >>>>> > >>>>> > >>>> >>> >>> > >
