Hi Mandar, I think you want to enable the 'authc' filter in Shiro's configuration. If it detects a new session (or unauthenticated session), it will automatically redirect back to the login page, and then, once successfully authenticated, will redirect them back to the page they attempted to view at first.
This is the most standard way of supporting the 'redirect to login page' behavior common across most apps. For example, in Shiro's INI configuration (assuming you're using the IniShiroFilter): [main] ... authc.loginUrl = /login [urls] # allow anonymous users to login: /login = anon # all other requests must be authenticated: /** = authc HTH, Les On Tue, Jun 22, 2010 at 1:10 PM, enabler <[email protected]> wrote: > > I've read couple of old threads on similar topic (eg: 'Standalone - Session > Timeout', 'Session Creation for same user'). However, I didn't understand, > how I would go about disabling auto-create session feature of shiro (we use > spring/mvc). For test purposes, I have setup my timeout to be 1min and it > does triggger correctly as per the trace below: > - [Thread: qtp0-8]15:00:43.799 TRACE > [org.apache.shiro.subject.DelegatingSubject] attempting to get session; > create = true; session is null = false; > session has id = true > - [Thread: qtp0-8]15:00:43.799 TRACE > [org.apache.shiro.session.mgt.AbstractValidatingSessionManager] Attempting > to retrieve session with id [2546a7d > f-aedc-4e3e-8e29-606d025566f3] > - [Thread: qtp0-8]15:00:43.799 INFO > [com.bloomberg.sports.portal.eis.impl.security.SessionDAO] >>>START > readSession: 2546a7df-aedc-4e3e-8e29-606d02 > 5566f3 > - [Thread: qtp0-8]15:00:43.846 INFO > [com.bloomberg.sports.portal.eis.impl.security.SessionDAO] readSession > !=null, id? 2546a7df-aedc-4e3e-8e29-606d > 025566f3 > - [Thread: qtp0-8]15:00:43.846 INFO > [com.bloomberg.sports.portal.eis.impl.security.SessionDAO] >>>End > readSession: 2546a7df-aedc-4e3e-8e29-606d0255 > 66f3 > > > - [Thread: qtp0-8]15:00:43.846 TRACE > [org.apache.shiro.session.mgt.SimpleSession] Session with id > [2546a7df-aedc-4e3e-8e29-606d025566f3] has expired > . Last access time: 6/22/10 2:48 PM. Current time: 6/22/10 3:00 PM. > Session timeout is set to 60 seconds (1 minutes) > > > - [Thread: qtp0-8]15:00:43.846 INFO [mypkg.SessionDAO] >>>START > updateSession: 2546a7df-aedc-4e3e-8e29-606d > 025566f3 > - [Thread: qtp0-8]15:00:44.017 INFO [mypkg.SessionDAO] >>>END > updateSession: 2546a7df-aedc-4e3e-8e29-606d02 > 5566f3 > - [Thread: qtp0-8]15:00:44.017 TRACE > [org.apache.shiro.session.mgt.DefaultSessionManager] Creating session for > host /127.0.0.1 > - [Thread: qtp0-8]15:00:44.017 DEBUG > [org.apache.shiro.session.mgt.DefaultSessionManager] Creating new EIS > record for new session instance > > > However, I need to turn off this behavior and have the application go back > to the login page. As mentioned before, I've seen few old threads on > similar > topic, but wasn't able to understand the solutions. Sorry if this is a > repeat question, but I would really like to get a clear solution to resolve > this issue. > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Disable-auto-create-new-session-upon-original-session-timeout-tp5210586p5210586.html > Sent from the Shiro User mailing list archive at Nabble.com. >
