I have a Spring web application with Shiro configured with a custom Realm for
authentication/authorization. Everything works as expected upon login and
for several minutes afterwards with an authenticated User having appropriate
Authorization via Roles/Permissions.
The issue is that Shiro loses the Authorization information seemingly at
random, but the Session remains valid. The application can still get a
Principal from the Shiro session, but it has no roles/permissions associated
with it any longer. I'm using JSP tags as well as the API and both agree
that the roles/permissions are not available. The filterChainDefinitions
still work correctly. If explicitly call clearCachedAuthorizationInfo(...)
in the realm it clears up the issue for a short period of time.
Logout/Login does not always resolve the issue immediately and at one point
I could predict the Authorization going way 2 minutes after login, however
changing the Realm configuration to explicitly set a CacheManager changed
that randomly losing the roles/perms.
I've been through the documentation and forums several times, added a
SessionListener, CacheListeners, but not seeing evictions, removals or
expires. I can see the 'shiro-activeSessionCache' being updated for
Sessions, but that's all the cache activity I see.
I'm out of ideas. I was under the impression that Shiro handles its own
Cache evictions, etc and that's why EhCache is configured with eternal=true
& TTL=0.
Does anybody see an issue with my configuration below or seen this issue
before?
applicationContext.xml
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="filterChainDefinitions">
<value>
/login.jsp = authc
/sm/** = authc
</value>
</property>
</bean>
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="sessionMode" value="native"/>
<property name="realm" ref="siteRealm"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="cacheManager" ref="cacheManager"/>
</bean>
<bean id="cacheManager"
class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="ehCacheManager"/>
</bean>
<bean id="ehCacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
<bean id="sessionDAO"
class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"/>
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="3600000"/>
<property name="sessionDAO" ref="sessionDAO"/>
</bean>
<bean id="credentialsMatcher"
class="org.apache.shiro.authc.credential.Sha256CredentialsMatcher">
<property name="storedCredentialsHexEncoded" value="false"/>
<property name="hashIterations" value="1024"/>
</bean>
<bean id="siteRealm" class="com.jeffp.SiteRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
<property name="cacheManager" ref="cacheManager"/>
<property name="authorizationCacheName"
value="shiro-activeSessionCache"/>
</bean>
ehcache.xml
<cache name="shiro-activeSessionCache"
maxElementsInMemory="10000"
overflowToDisk="true"
eternal="true"
timeToLiveSeconds="0"
timeToIdleSeconds="0"
diskPersistent="true"
diskExpiryThreadIntervalSeconds="600">
<cacheEventListenerFactory
class="com.jeffp.MyCacheEventListenerFactory"/>
</cache>
<cache name="org.apache.shiro.realm.text.PropertiesRealm-0-accounts"
maxElementsInMemory="1000"
eternal="true"
overflowToDisk="true">
<cacheEventListenerFactory
class="com.jeffp.MyCacheEventListenerFactory"/>
</cache>
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Issue-with-Shiro-authorization-getting-cleared-tp7140992p7140992.html
Sent from the Shiro User mailing list archive at Nabble.com.
