I've done some more digging with this, I've implemented a SessionListener as well and it appears that the sessions aren't being invalidated either. I basically looks like the logout isn't working at all. Can someone please check I'm not doing something stupid:
1. Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session? 2. Should I expect to get an onLogout event in a web application or is there some extra magic I'm missing? Any help would be much appreciated as I'm still totally stumped on what I expected to be a relatively simple exercise, Thanks, Richard From: Richard Wheeldon [mailto:[email protected]] Sent: Monday, April 4, 2016 4:29 PM To: [email protected] Subject: Recording logouts using AuthenticationListener Hi, I'm building a Web app using Shiro as a basic for authentication and RBAC. I'm using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs. /login.jsp = formAuth /logout = logoutFilter /** = formAuth Now I'm trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I've added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token's principal. Login failures work in the same way. So far so good. securityManager.authenticator.authenticationListeners = $auditLogAuthListener But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set. Has anyone got this to work who could give me a pointer or two to what I'm doing wrong? It would be much appreciated, Thanks, Richard
