Many thanks for the response.
I’ve tried debugging it – that’s how I discovered that the principals list was empty in the first instance but I’m not a Shiro expert and I’m rather hazy on what’s supposed to be setting it in the first place. Any ideas? Whilst it’s perfectly possible that I’ve found a bug I very much doubt it’s the primary cause of my current problems – it would be a huge security hole if something like logout didn’t work. I’m trying to use the native Shiro sessions with a simple MemorySessionDAO. The plan is to put the session info into RDS eventually but I’m trying to keep things simple until I get the basic stuff (i.e. login and logout) working. I haven’t ruled out the possibility that the native session handling is getting in the way but AFAICT it’s not. The cookies passed back and forwards are all of the Shiroesque form: JSESSIONID=44256c7e-dd9e-4614-adf9-205f581fc695; _ga=GA1.1.775913481.1456225578 I’ve read the link you suggested but I’m not sure the section you refer to is entirely pertinent. If I manually logout, surely that should invalidate the current session immediately? Or have I misunderstood? Thanks, Richard From: Lenny Primak [mailto:[email protected]] Sent: Wednesday, May 4, 2016 10:14 PM To: [email protected] Subject: Re: Recording logouts using AuthenticationListener Have you tried to debug it? Maybe you have found a bug. Are you using native Shiro sessions or web session proxy? If using native sessions, have you set things up according to this documentation? http://shiro.apache.org/session-management.html section “session validation & scheduling” On May 4, 2016, at 3:11 PM, Richard Wheeldon <[email protected] <mailto:[email protected]> > wrote: I’ve done some more digging with this, I’ve implemented a SessionListener as well and it appears that the sessions aren’t being invalidated either. I basically looks like the logout isn’t working at all. Can someone please check I’m not doing something stupid: 1. Am I correct in assuming that LogoutFilter, Subject.logout() or similar actions should result in an invalidated session? 2. Should I expect to get an onLogout event in a web application or is there some extra magic I’m missing? Any help would be much appreciated as I’m still totally stumped on what I expected to be a relatively simple exercise, Thanks, Richard From: Richard Wheeldon [ <mailto:[email protected]> mailto:[email protected]] Sent: Monday, April 4, 2016 4:29 PM To: <mailto:[email protected]> [email protected] Subject: Recording logouts using AuthenticationListener Hi, I’m building a Web app using Shiro as a basic for authentication and RBAC. I’m using the ShiroFilter loading a shiro INI which sets up a JDBC realm, a form authentication filter and a log out filter tied into the default security manager. All this is working as expected. No probs. /login.jsp = formAuth /logout = logoutFilter /** = formAuth Now I’m trying to get a custom log of login / logout actions working using AuthenticationListener and am running into some problems. I’ve added my custom listener to securityManager.authenticator.authenticationListeners and it all loads fine. Logins are successfully recorded, I can get the username from the token’s principal. Login failures work in the same way. So far so good. securityManager.authenticator.authenticationListeners = $auditLogAuthListener But when I go to logout, the listener never gets called. AFAICT, this is because onLogout only ever gets called if there is a non-empty list of principals (see DefaultSecurityManager.logout) but the principals list never seems to get set. Has anyone got this to work who could give me a pointer or two to what I’m doing wrong? It would be much appreciated, Thanks, Richard
