4

I'm trying to replace the session management (Currently handled by Catalina/Tomcat) of my webapp to shiro native session management.

This should be a fairly easy job, as is adverted by the shiro website:

Transparent HttpSession support - If you are using Shiro's native sessions, we have implemented HTTP Session API and the Servlet 2.5 API so you don't have to change any of your existing web code to use Shiro.

So after, you replaced the local Session Manager with Shiro's DefaultWebSessionManager everything should work out of the box.

This is also the case for my webapp, except for a certain javax.servlet.http.HttpSessionListener. This Listener no longer gets events since using Shiro's session management.

No worries I thought! Shiro offers it's own org.apache.shiro.session.SessionListener interface that can be linked to the session manager.

However, this interface differs a lot from javax.servlet.http.HttpSessionListener. There are no longer HttpSession objects passed, instead the Shiro Listener passes it's own org.apache.shiro.session.Session objects with the events.

My existing implementation works ofcourse only with HttpSession objects. I found out that a Shiro Session can be transformed to a HttpSession:

// HttpServletRequest currentRequest;
// ServletContext servletContext;
// Session session;
HttpSession httpSession = new ShiroHttpSession(session, currentRequest, servletContext);

However there is no way to acces the HttpServletRequest and servletContext from the Shiro SessionListener.

Any ideas how to solve this problem, e.g. can you answer one of these two question?

  1. Why is the old javax.servlet.http.HttpSessionListener no longer called?
  2. How do I transform Shiro Session objects to HttpSession objects in the shiro SessionListener?
Karsten Daemen
  • 162
  • 11

1 Answers1

3

Why is the old javax.servlet.http.HttpSessionListener no longer called?

As you've explained, Session management is now handled through Shiro instead of through the Servlet container. As such, even if your HttpSessionListener is registered, your Servlet container is just not creating any HttpSession objects and therefore not using any of the HttpSessionListener callbacks.

How do I transform Shiro Session objects to HttpSession objects in the shiro SessionListener?

You don't and you shouldn't.

If you explain what you want to do with the HttpSession, we might be able to find alternatives.

Sotirios Delimanolis
  • 274,122
  • 60
  • 696
  • 724
  • Simpy put, all code in my old SessionListener is written to work with HttpSessions. How can I reuse this code without having to refactor it all to use Shiro Session objects? This will be quite a lot of work. – Karsten Daemen Jan 20 '14 at 15:39
  • @KarstenDaemen What `HttpSession` methods are you using? Shiro's `Session` has attribute setters and getters as well, but obviously those aren't available to JSPs and such. – Sotirios Delimanolis Jan 20 '14 at 15:41