Forgot to mention I used Jax-Rs Restful Services
Regards,Sreenivas Harshith.
On Tuesday, August 1, 2017 7:20 PM, sreenivas harshith
<[email protected]> wrote:
Hi,
I have this issue with shiro on Multi-Threaded Servers like Tomcat with
Http-NIO Enabled, where I keep getting same session Id's for different Users
when I use SecurityUtils.getSubject() to acquire the current executing user.
SecurityUtils.getSubject() uses ThreadContext inside and I guess the subject is
getting shared across threads as I am Using TomEE With Http-Nio and threads are
re-used across requests. I did debug to find that
SecurityUtils.getSubject().IsAuthenticated() returns true for a new request
before even Authenticating him with login(token). The only workaround I found
out was build the subject with SubjectBuilder.
Subject currentUser = new Subject.Builder().buildSubject();
This would fix the above issue I had with Multi-Threaded Servers.
I had discussed the above issue with Brian Demers before. Please find the same
below.[SHIRO-613] StoppedSessionException: Session with id has been explicitly
stopped. No further interaction under this session is allowed. - ASF JIRA
|
| |
[SHIRO-613] StoppedSessionException: Session with id has been explicitly
stopped. No further interaction under this ...
| |
|
I just want to quote the issue with Shiro Community and the possible Workaround
as above. Below are the details of Basic Test Case to reproduce the Issue.
Server: Any Multi-Threaded Server (Apache Tomee WebProfile).Default Session
Manager and a Realm Defined.Get the Subject using SecurityUtils.getSubject()
and Login the User with the token.Try Logging in the same user multiple times,
Lets say 10 times.Expected Output: 10 Different Session Id's Everytime User
logs in.Actual Output: The FIrst 5 requests will emit 5 Different Session Id's
and Next 5 Requests will emit the previously emitted session Id's in an
undefined order.
Regards,Sreenivas Harshith.
