Have you tried to debug it? Maybe you have found a bug. Are you using native Shiro sessions or web session proxy? If using native sessions, have you set things up according to this documentation? http://shiro.apache.org/session-management.html <http://shiro.apache.org/session-management.html> section “session validation & scheduling”
> On May 4, 2016, at 3:11 PM, Richard Wheeldon <[email protected]> > wrote: > > I’ve done some more digging with this, I’ve implemented a SessionListener as > well and it appears that the sessions aren’t being invalidated either. I > basically looks like the logout isn’t working at all. Can someone please > check I’m not doing something stupid: > 1. Am I correct in assuming that LogoutFilter, Subject.logout() or > similar actions should result in an invalidated session? > 2. Should I expect to get an onLogout event in a web application or is > there some extra magic I’m missing? > > Any help would be much appreciated as I’m still totally stumped on what I > expected to be a relatively simple exercise, > > Thanks, > > Richard > > From: Richard Wheeldon [mailto:[email protected] > <mailto:[email protected]>] > Sent: Monday, April 4, 2016 4:29 PM > To: [email protected] <mailto:[email protected]> > Subject: Recording logouts using AuthenticationListener > > Hi, > > I’m building a Web app using Shiro as a basic for authentication and RBAC. > I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a > form authentication filter and a log out filter tied into the default > security manager. All this is working as expected. No probs. > /login.jsp = formAuth > /logout = logoutFilter > /** = formAuth > > Now I’m trying to get a custom log of login / logout actions working using > AuthenticationListener and am running into some problems. I’ve added my > custom listener to securityManager.authenticator.authenticationListeners and > it all loads fine. Logins are successfully recorded, I can get the username > from the token’s principal. Login failures work in the same way. So far so > good. > securityManager.authenticator.authenticationListeners = $auditLogAuthListener > > But when I go to logout, the listener never gets called. AFAICT, this is > because onLogout only ever gets called if there is a non-empty list of > principals (see DefaultSecurityManager.logout) but the principals list never > seems to get set. > > Has anyone got this to work who could give me a pointer or two to what I’m > doing wrong? It would be much appreciated, > > Thanks, > > Richard
