For posterity this is a cross post: http://stackoverflow.com/questions/41989923/apache-shiro-session-timeout-after-login
On Thu, Feb 2, 2017 at 2:23 PM, Erick Barreto <[email protected]> wrote: > Hi all, > > I'm using Shiro in a project with JSF2 + CDI + Primefaces (deployed on > WildFly 10). I'm configuring the whole security environment with Shiro > only. > > The problem i'm facing is this: > > When the user logs in, the session automatically expires and i'm not able > to > get the session from the Subject (Subject.getSession) or from FacesContext. > They both return null. > > I was able to work around by changing javax.faces.STATE_SAVING_METHOD to > CLIENT and now i'm able to log in. However, in any navigation, when i go to > another page, the Session objects returns null like it was happening > before. > > Enabling the log, i found this exception which, by the way, happens in both > cases > > DEBUG [default task-13] (AbstractShiroFilter.java:411) - No > FilterChainResolver configured. Returning original FilterChain. > DEBUG [default task-14] (SimpleCookie.java:389) - Found 'JSESSIONID' cookie > value [308e4bee-23f9-4ab1-8a43-64e1e3950445] > DEBUG [default task-14] (DefaultSecurityManager.java:447) - Resolved > SubjectContext context session is invalid. Ignoring and creating an > anonymous (session-less) Subject instance. > org.apache.shiro.session.UnknownSessionException: There is no session with > id [308e4bee-23f9-4ab1-8a43-64e1e3950445.sesco11] > at > org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession( > AbstractSessionDAO.java:170) > at > org.apache.shiro.session.mgt.DefaultSessionManager. > retrieveSessionFromDataSource(DefaultSessionManager.java:236) > at > org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession( > DefaultSessionManager.java:222) > at > org.apache.shiro.session.mgt.AbstractValidatingSessionManag > er.doGetSession(AbstractValidatingSessionManager.java:118) > at > org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession( > AbstractNativeSessionManager.java:148) > at > org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession( > AbstractNativeSessionManager.java:140) > at > org.apache.shiro.mgt.SessionsSecurityManager.getSession( > SessionsSecurityManager.java:156) > at > org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession( > DefaultSecurityManager.java:456) > at > org.apache.shiro.mgt.DefaultSecurityManager.resolveSession( > DefaultSecurityManager.java:442) > at > org.apache.shiro.mgt.DefaultSecurityManager.createSubject( > DefaultSecurityManager.java:338) > at org.apache.shiro.subject.Subject$Builder.buildSubject( > Subject.java:846) > at > org.apache.shiro.web.subject.WebSubject$Builder. > buildWebSubject(WebSubject.java:148) > at > org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject( > AbstractShiroFilter.java:292) > at > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal( > AbstractShiroFilter.java:359) > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter( > OncePerRequestFilter.java:125) > > > What's weird is the fact Shiro is calling AbstractSessionDAO from > DefaulSessionManager, but Shiro.ini is configured with > DefaultWebSessionManager and EnterpriseCacheSessionDAO. > > [main] > > authc.loginUrl = /login.xhtml > > customRealm = xxxx.xxx.xxx.xxx.CustomRealm > > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > > authenticator = xxx.xxx.xxx.CustomAuthenticator > > sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO > > securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager > securityManager.realms = $customRealm > securityManager.sessionManager = $sessionManager > securityManager.sessionManager.globalSessionTimeout = 1800000 > securityManager.authenticator = $authenticator > sessionManager.sessionDAO = $sessionDAO > > ssl.enabled = false > > [users] > > [roles] > > [urls] > > > Am i missing something in the configuration files? Maybe Shiro did not > configure itself as described in shiro.ini? Maybe i'm losing the sessions > or > they are invalidating. > > Thank you, > Erick > > > > > -- > View this message in context: http://shiro-user.582556.n2. > nabble.com/Session-expires-after-log-in-tp7581491.html > Sent from the Shiro User mailing list archive at Nabble.com. >
