I'm trying to generate the facebook link through fbClient.getRedirectionUrl(new ShiroWebContext(req, resp), false);
And this throwed this exception : org.apache.shiro.subject.support.DisabledSessionException: Session creation has been disabled for the current subject. This exception indicates that there is either a programming error (using a session when it should never be used) or that Shiro's configuration needs to be adjusted to allow Sessions to be created for the current Subject. See the org.apache.shiro.subject.support.DisabledSessionException JavaDoc for more. at org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:331) at org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:312) at io.buji.pac4j.ShiroWebContext.setSessionAttribute(ShiroWebContext.java:51) at org.pac4j.oauth.client.BaseOAuth20Client.retrieveAuthorizationUrl(BaseOAuth20Client.java:52) at org.pac4j.oauth.client.BaseOAuthClient.retrieveRedirectionUrl(BaseOAuthClient.java:92) at org.pac4j.core.client.BaseClient.getRedirectionUrl(BaseClient.java:117) at web.controller.common.CommonController.signupPageImpl(CommonController.java:77) at web.controller.common.CommonController.access$0(CommonController.java:74) at web.controller.common.CommonController$1.exec(CommonController.java:70) at web.controller.WebTemplate.execImpl(WebTemplate.java:71) at web.controller.WebTemplate.execWithoutMwdService(WebTemplate.java:45) at web.controller.common.CommonController.signupPage(CommonController.java:66) My environment is with spring mvc, using custom realm, custom session dao, and with native session. <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="globalSessionTimeout" value="xxx" /> <property name="sessionDAO" ref="sessionDAO" /> <property name="sessionValidationSchedulerEnabled" value="false" /> <property name="sessionIdCookie.domain" value="xxx.com" /> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="sessionMode" value="native" /> <property name="realms"> <list> <ref bean="mainRealm" /> </list> </property> <property name="sessionManager" ref="sessionManager" /> </bean> And here are buji specific configs : <bean id="facebookClient" class="org.pac4j.oauth.client.FacebookClient"> <constructor-arg name="key" value="myAppId" /> <constructor-arg name="secret" value="mySecret" /> </bean> <bean id="clients" class="org.pac4j.core.client.Clients"> <constructor-arg name="callbackUrl" value=" http://myweb.com:8080/social-callback"; /> <constructor-arg name="clients"> <list> <ref bean="facebookClient" /> </list> </constructor-arg> </bean> <bean id="clientsFilter" class="io.buji.pac4j.ClientFilter"> <property name="failureUrl" value="/404.html" /> <property name="clients"> <ref bean="clients" /> </property> </bean> <bean id="clientsRealm" class="io.buji.pac4j.ClientRealm"> <property name="defaultRoles" value="ROLE_USER" /> <property name="clients"> <ref bean="clients" /> </property> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login"/> <property name="successUrl" value="/"/> <property name="unauthorizedUrl" value="/signup"/> <property name="filterChainDefinitions"> <value> /login = authc /logout = noSessionCreation, logout /** = noSessionCreation, anon /social-callback = clientsFilter </value> </property> </bean> Please note that with this configuration, the normal form-based username-password authentication works perfectly, where a session is created for every successful user login. What did i do wrong ? Thank you .. -- Do not pursue the past. Do not lose yourself in the future. The past no longer is. The future has not yet come. Looking deeply at life as it is in the very here and now, the practitioner dwells in stability and freedom. (Thich Nhat Hanh)
