Re: Issue with Shiro on Multi Threaded Servers. Same Session Id's are generated for Different Users

Tue, 01 Aug 2017 06:55:47 -0700 

Full Test case:
Server: Any Multi-Threaded Server (Apache Tomee WebProfile).Default Session 
Manager and a Realm Defined.Get the Subject using SecurityUtils.getSubject() 
and Login the User with the token.Try Logging in the same user multiple times, 
Lets say 10 times.Expected Output: 10 Different Session Id's Everytime User 
logs in.Actual Output: The FIrst 5 requests will emit 5 Different Session Id's 
and Next 5 Requests will emit the previously emitted session Id's in an 
undefined order.Jax-Rs Restful Services 
I had increased Number of Threads in Tomcat Server.xml. 

    On Tuesday, August 1, 2017 7:23 PM, sreenivas harshith 
<[email protected]> wrote:
 

 Forgot to mention I used Jax-Rs Restful Services 
Regards,Sreenivas Harshith. 

    On Tuesday, August 1, 2017 7:20 PM, sreenivas harshith 
<[email protected]> wrote:
 

 Hi,

I have this issue with shiro on Multi-Threaded Servers like Tomcat with 
Http-NIO Enabled, where I keep getting same session Id's for different Users 
when I use SecurityUtils.getSubject() to acquire the current executing user. 
SecurityUtils.getSubject() uses ThreadContext inside and I guess the subject is 
getting shared across threads as I am Using TomEE With Http-Nio and threads are 
re-used across requests. I did debug to find that 
SecurityUtils.getSubject().IsAuthenticated() returns true for a new request 
before even Authenticating him with login(token). The only workaround I found 
out was build the subject with SubjectBuilder. 
 Subject currentUser = new Subject.Builder().buildSubject();

This would fix the above issue I had with Multi-Threaded Servers.
I had discussed the above issue with Brian Demers before. Please find the same 
below.[SHIRO-613] StoppedSessionException: Session with id has been explicitly 
stopped. No further interaction under this session is allowed. - ASF JIRA


  
|  
|   |  
[SHIRO-613] StoppedSessionException: Session with id has been explicitly 
stopped. No further interaction under this ...
   |  |

  |

 
I just want to quote the issue with Shiro Community and the possible Workaround 
as above. Below are the details of Basic Test Case to reproduce the Issue.
Server: Any Multi-Threaded Server (Apache Tomee WebProfile).Default Session 
Manager and a Realm Defined.Get the Subject using SecurityUtils.getSubject() 
and Login the User with the token.Try Logging in the same user multiple times, 
Lets say 10 times.Expected Output: 10 Different Session Id's Everytime User 
logs in.Actual Output: The FIrst 5 requests will emit 5 Different Session Id's 
and Next 5 Requests will emit the previously emitted session Id's in an 
undefined order.


Regards,Sreenivas Harshith.

Reply via email to