No prob Tauren - glad to help! Best,
Les On Tue, Feb 8, 2011 at 2:04 PM, Tauren Mills <[email protected]> wrote: > Les, > That's the same conclusion I came to. In fact, I'm not quite sure why that > logic was in the logout method as it didn't seem to make sense. It was added > long ago by another developer who is no longer on my team. I just wanted to > make sure there wasn't something I was missing, so thanks for verifying > this. > Tauren > > On Tue, Feb 8, 2011 at 3:34 PM, Les Hazlewood <[email protected]> wrote: >> >> Hi Tauren, >> >> It looks to me like the invalidate() method is, under the covers, >> invalidating the session. subject.logout() already does this >> automatically (if a subject logs out, it is fully expected that their >> session should always be stopped). Calling both would cause a problem >> since the 2nd call clearly attempts to invalidate a session that is >> already invalidated (throwing the exception). >> >> Also, for this code sequence: >> >> SecurityUtils.getSubject().logout(); >> if (SecurityUtils.getSubject().isAuthenticated()) { >> ... >> } >> >> the isAuthenticated() check will _always_ return false. Once you log >> out, the subject is no longer considered authenticated. So, just >> reducing your code to this: >> >> SecurityUtils.getSubject().logout(); >> return true; >> >> should work in all cases. >> >> Because the SecurityUtils.getSubject().isAuthenticated() check was >> always returning false, invalidate() was always being called. Clearly >> the wicket team changed something in their invalidate() logic between >> releases, but I couldn't say what that was. >> >> HTH! >> >> Cheers, >> >> -- >> Les Hazlewood >> Founder, Katasoft, Inc. >> Application Security Products & Professional Apache Shiro Support and >> Training: >> http://www.katasoft.com >> >> On Mon, Feb 7, 2011 at 7:18 PM, Tauren Mills <[email protected]> wrote: >> > I'm seeing an exception when users log out of my Wicket application. It >> > seems that the session is being looked up again after it has already >> > been >> > removed. See the exception below. >> > This was not happening when using Wicket 1.4.6, but when I upgrade to >> > 1.4.15 >> > I am getting exceptions. I have confirmed that simply changing wicket >> > versions makes the problem go away or start happening -- no other >> > changes >> > are made to the app except upgrading Wicket. >> > I have this logic in my AuthenticatedSession class (extends wicket's >> > WebSession) that is called when a user requests to log out: >> > public boolean logout() { >> > log.info("Member logout: >> > "+SecurityUtils.getSubject().getPrincipal()); >> > SecurityUtils.getSubject().logout(); >> > if (SecurityUtils.getSubject().isAuthenticated()) >> > dirty(); >> > else >> > invalidate(); >> > return true; >> > } >> > I can't even remember now why I have that isAuthenticated() test and >> > logic >> > in there. At some point it must have done something, but maybe all I >> > need >> > now is just: >> > SecurityUtils.getSubject().logout(); >> > When I remove the if/then clause, I no longer get an exception. But I'm >> > confused why upgrading Wicket would cause this to happen, as it seems >> > unrelated. >> > Any thoughts on what's going on here? >> > Tauren >> > >> > 2011-02-08 00:58:06,478 WARN - AbstractHttpSessionStore - Error while >> > invalidating Session Store: Session already invalidated >> > java.lang.IllegalStateException: >> > org.apache.shiro.session.UnknownSessionException: There is no session >> > with >> > id [939f87f4-ee49-4347-944c-82e5cb95bebb] >> > at >> > >> > org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133) >> > at >> > >> > org.apache.wicket.protocol.http.AbstractHttpSessionStore.invalidate(AbstractHttpSessionStore.java:210) >> > at org.apache.wicket.Session.invalidateNow(Session.java:882) >> > at org.apache.wicket.Session.detach(Session.java:1196) >> > at >> > com.sprtz.web.AuthenticatedSession.detach(AuthenticatedSession.java:72) >> > at org.apache.wicket.RequestCycle.threadDetach(RequestCycle.java:1481) >> > at org.apache.wicket.RequestCycle.detach(RequestCycle.java:1218) >> > at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1462) >> > at org.apache.wicket.RequestCycle.request(RequestCycle.java:545) >> > at >> > org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486) >> > at >> > >> > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:319) >> > at >> > >> > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088) >> > at >> > >> > org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:359) >> > at >> > >> > org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:275) >> > at >> > >> > org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) >> > at >> > >> > org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) >> > at >> > >> > org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:344) >> > at >> > >> > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:272) >> > at >> > >> > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81) >> > at >> > >> > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) >> > at >> > >> > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) >> > at >> > >> > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088) >> > at >> > >> > org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198) >> > at >> > >> > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) >> > at >> > >> > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1088) >> > at >> > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360) >> > at >> > >> > org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) >> > at >> > org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) >> > at >> > org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729) >> > at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) >> > at >> > org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) >> > at org.mortbay.jetty.Server.handle(Server.java:324) >> > at >> > org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) >> > at >> > >> > org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829) >> > at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:513) >> > at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) >> > at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) >> > at >> > >> > org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228) >> > at >> > >> > org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488) >> > Caused by: org.apache.shiro.session.UnknownSessionException: There is no >> > session with id [939f87f4-ee49-4347-944c-82e5cb95bebb] >> > at >> > >> > org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170) >> > at >> > >> > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236) >> > at >> > >> > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222) >> > at >> > >> > org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118) >> > at >> > >> > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105) >> > at >> > >> > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109) >> > at >> > >> > org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:206) >> > at >> > >> > org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141) >> > at >> > >> > org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) >> > at >> > >> > org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:131) >> > ... 38 more
