I'm seeing an error on login each time the session times out in my web
application, followed by the user logging out and logging in. The webapp
provides a logout link, which does not have any logic to disable/enable the
link based on whether the session has timed out or not - the user can click the
logout link but subject.logout() will not actually be called (see below). In
normal operation, logging in, out, and back in again works fine. If the user
logs in and then waits for the session to time-out, then hits the logout link
the following gets executed:
if (subject.isAuthenticated()) {
subject.logout();
}
The subject.logout() is not actually called as the session has expired so
isAuthenticated() returns false. Following this the user lands on the login
page again. Next request to login fails with this error:
18:33:18,328 ERROR [Identity] (http--0.0.0.0-8080-5) () Login failed:
java.lang.IllegalArgumentException: HttpSession constructor argument cannot be
null.
at
org.apache.shiro.web.session.HttpServletSession.<init>(HttpServletSession.java:51)
[shiro-web-1.2.0-20120120.051708-65.jar:]
at
org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:119)
[shiro-web-1.2.0-201
20120.051708-65.jar:]
at
org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:115)
[shiro-web-1.2.0-201
20120.051708-65.jar:]
at
org.apache.shiro.web.session.mgt.ServletContainerSessionManager.start(ServletContainerSessionManager.java:64)
[shiro-web-1.2.0-20120120.051
708-65.jar:]
at
org.apache.shiro.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:121)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:336)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:314)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSubjectDAO.mergePrincipals(DefaultSubjectDAO.java:182)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSubjectDAO.saveToSession(DefaultSubjectDAO.java:163)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSubjectDAO.save(DefaultSubjectDAO.java:144)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSecurityManager.save(DefaultSecurityManager.java:383)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:350)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283)
[shiro-core-1.2.0-20120120.051646-69.jar:]
at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:257)
[shiro-core-1.2.0-20120120.051646-69.jar:]
Normal logouts following by logins work fine if the session does not time out,
but the error is thrown on each login attempt following a session timeout and
logout.
I thought the most likely cause would be a mistake where subject.logout() is
called in the same request/response as making a subject.login() call - but have
confirmed this is not the case. Suspect this may be session management related,
but not clear what might be causing this - any ideas?
Thanks,
Martin
