8

My standalone application uses Shiro for security management. I am encountering a problem with expired sessions. If a user session gets expired and when I try to log the user back in I get the following exception. Could anybody help?

org.apache.shiro.session.UnknownSessionException: There is no session with id [d32af383-5f26-463f-a2f0-58a0e82c7890]
 at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
 at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
 at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
 at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
 at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:105)
 at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:109)
 at org.apache.shiro.session.mgt.AbstractNativeSessionManager.stop(AbstractNativeSessionManager.java:238)
 at org.apache.shiro.session.mgt.DelegatingSession.stop(DelegatingSession.java:127)
 at org.apache.shiro.session.ProxiedSession.stop(ProxiedSession.java:107)
 at org.apache.shiro.subject.support.DelegatingSubject$StoppingAwareProxiedSession.stop(DelegatingSubject.java:419)
 at org.apache.shiro.session.ProxiedSession.stop(ProxiedSession.java:107)
 at org.apache.shiro.subject.support.DelegatingSubject$StoppingAwareProxiedSession.stop(DelegatingSubject.java:419)

I am using spring to configure shiro 

<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager"> 
    <property name="realm" ref="myRealm"/>
    <property name="sessionManager.globalSessionTimeout" value="3600000" />
</bean> 
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> 
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">  
    <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/> 
    <property name="arguments" ref="securityManager"/> 
</bean>
JBert
  • 3,311
  • 24
  • 37
Amar Sosa
  • 83
  • 1
  • 3

1 Answers1

5

I'm facing the same issue while using a remote ejb for authentication.

As a workaround the first login attempt is in a try/catch block catching the UnknownSessionException. A Subject is then built from scratch for logging in the user again. 

UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
    subject.login(token);
} catch (UnknownSessionException use) {
    subject = new Subject.Builder().buildSubject();
    subject.login(token);
    session = subject.getSession(true);
}
zellus
  • 9,617
  • 5
  • 39
  • 56
  • I tried this work around, but doesn't seem to work. The issue prevails. – Amar Sosa Dec 13 '12 at 07:40
  • @Amar Sosa: Can you post your shiro configuration and relevant shiro code? – zellus Dec 13 '12 at 08:56
  • I am using spring to configure shiro – Amar Sosa Dec 13 '12 at 18:09
  • I tried the following UsernamePasswordToken token = new UsernamePasswordToken(username, password); try { subject.login(token); } catch (UnknownSessionException use) { subject = new Subject.Builder().buildSubject(); try { subject.login(token); } catch (UnknownSessionException use2) { subject = new Subject.Builder().buildSubject(); } subject.login(token); session = subject.getSession(true); } So literally, one more trial attempt to login. This is so strange. Apparently something gets cleaned up before the last login attempt – Amar Sosa Dec 15 '12 at 03:44