I am developing a JSF web based application that makes use of CDI managed beans and Shiro managed sessions. The problem I've got is when a JSF page that references an object annotated with @javax.enterprise.context.SessionScoped an UnknownSessionException is thrown. I have set the logging level to finest and looking through the application server log file I can see that when the user accesses the login page a new session is created along with a cookie that sets JSESSIONID to b2b69494-2236-467f-9e0b-3c262c74b7c4. When the user accesses the page that references the SessionScoped bean the cookie is updated to have a JSESSIONID set to 49253beaee601d4107cba4b61c77, at this point an UnknownSessionException is thrown. When accessing pages that reference a managed bean annotated with either @javax.enterprise.context.ApplicationScoped or @javax.faces.view.ViewScoped everything works fine.
It appears that when accessing a page that references a session scoped bean, the servlet container is creating a new session rather than allowing the Shiro managed session to be used. If I configure Shiro to use something other than JSESSIONID then the error isn't thrown but instead two sessions appear to be created, one managed by Shiro and the other managed by the servlet container. The contents of my shiro.ini file is [main] authc.loginUrl = /login.xhtml authc.usernameParam = login:username authc.passwordParam = login:password authc.rememberMeParam = login:rememberMe user.loginUrl = /login.xhtml authc.successUrl = /app/index.xhtml sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager [users] admin = password [urls] /login.xhtml = authc /app/** = user My environment is using Glassfish 4.1, Java EE version 7, Mojarra version 2.2.7 for JSF, Weld version 2.2.2 for CDI, and Shiro version 1.2.3. I have also reproduced the same issue on Glassfish version 4.0 albeit with earlier versions of Mojarra and Weld. I have uploaded the relevant portion of the application server log to PasteBin which can be accessed with the URL http://pastebin.com/2sPHfdTQ <http://pastebin.com/2sPHfdTQ> I've also created an example Maven project to demonstrate the problem. The example project can be downloaded from https://www.dropbox.com/s/1x9pe2o9ja0q9jw/TestJavaEE-web.zip?dl=0 <https://www.dropbox.com/s/1x9pe2o9ja0q9jw/TestJavaEE-web.zip?dl=0> which contains the source code and the complied war file. Is anyone else currently using CDI managed session scoped beans with Shiro managed sessions, and if so have you had any problems? Is there a configuration setting I've missed either in Shiro or GlassFish or is this a bug? Many Thanks Paul -- View this message in context: http://shiro-user.582556.n2.nabble.com/UnknownSessionException-when-using-SessionScoped-CDI-managed-beans-with-Shiro-managed-sessions-tp7580281.html Sent from the Shiro User mailing list archive at Nabble.com.
