1. 首頁
  2. 問答
  3. Shiro UnknownSessionException註銷後

Shiro UnknownSessionException註銷後

2012-11-02 49 views
3

我目前正在使用JavaEE6堆棧中的Web應用程序,並且已經集成了Shiro以實現安全性。我認爲認證和授權現在正常工作,我有最後一個問題。Shiro UnknownSessionException註銷後

當我退出,我現在遇到UnknownSessionException,這裏是我的配置和代碼檢查:

的web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" 
    version="3.0"> 

    <!-- Welcome page --> 
    <welcome-file-list> 
     <welcome-file>home.xhtml</welcome-file> 
    </welcome-file-list> 

    <listener> 
     <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> 
    </listener> 

    <filter> 
     <filter-name>ShiroFilter</filter-name> 
     <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>ShiroFilter</filter-name> 
     <url-pattern>/*</url-pattern> 
     <dispatcher>REQUEST</dispatcher> 
     <dispatcher>FORWARD</dispatcher> 
     <dispatcher>INCLUDE</dispatcher> 
     <dispatcher>ERROR</dispatcher> 
    </filter-mapping> 

    <servlet> 
     <servlet-name>Faces Servlet</servlet-name> 
     <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <!-- Map these files with JSF --> 
    <servlet-mapping> 
     <servlet-name>Faces Servlet</servlet-name> 
     <url-pattern>/faces/*</url-pattern> 
    </servlet-mapping> 
    <servlet-mapping> 
     <servlet-name>Faces Servlet</servlet-name> 
     <url-pattern>*.jsf</url-pattern> 
    </servlet-mapping> 
    <servlet-mapping> 
     <servlet-name>Faces Servlet</servlet-name> 
     <url-pattern>*.faces</url-pattern> 
    </servlet-mapping> 
    <servlet-mapping> 
     <servlet-name>Faces Servlet</servlet-name> 
     <url-pattern>*.xhtml</url-pattern> 
    </servlet-mapping> 
</web-app>

shiro.ini

[main] 
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl 

# any object property is automatically configurable in Shiro.ini file 
saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal 

# the realm should handle also authorization 
saltedJdbcRealm.permissionsLookupEnabled = true 

# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?" 
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM czetsuya_users WHERE username = ? 

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?" 
saltedJdbcRealm.userRolesQuery = SELECT name FROM czetsuya_roles a INNER JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c ON c.id = b.user_id WHERE c.username = ? 

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?" 
saltedJdbcRealm.permissionsQuery = SELECT action FROM czetsuya_permissions WHERE role = ? 

# password hashing specification, put something big for hasIterations 
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher 
sha256Matcher.hashAlgorithmName = SHA-256 
sha256Matcher.hashIterations = 1 
saltedJdbcRealm.credentialsMatcher = $sha256Matcher 
securityManager.realms = saltedJdbcRealm 

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO 
sessionDAO.activeSessionsCacheName = shiro-activeSessionCache 
securityManager.sessionManager.sessionDAO = $sessionDAO 

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
securityManager.sessionManager = $sessionManager 

sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler 
# 1,800,000 milliseconds = 30 mins 
sessionValidationScheduler.interval = 1800000 
securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler 

securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya 
# 1,800,000 milliseconds = 30 mins 
securityManager.sessionManager.globalSessionTimeout = 1800000 

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml 
securityManager.cacheManager = $cacheManager 

czetsuyaFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter 
czetsuyaFilter.loginUrl = /faces/login.xhtml 
czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml 
# logout.redirectUrl = /faces/login.xhtml 

[urls] 
/login.xhtml = czetsuyaFilter 
/secure/** = czetsuyaFilter 
/api/** = noSessionCreation, czetsuyaFilter 
# /logout = logout

的一部分,其中我請求註銷:

public String logout() { 
    Subject subject = SecurityUtils.getSubject(); 
    if (subject != null) { 
     subject.logout(); 
    } 

    return "/home.xhtml?faces-redirect=true"; 
}

謝謝,
czetsuya

來源

2012-11-02 czetsuya

回答

0

具有這種配置的問題是該行:

securityManager.sessionManager.globalSessionTimeout = 1800000

應該註釋掉。它不適用於shiro的本地會話。

或者替代方案是使用HttpSession(不是shiro)。這裏是配置文件:

[main] 
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl 

# any object property is automatically configurable in Shiro.ini file 
saltedJdbcRealm.jndiDataSourceName = dropshipDS 

# the realm should handle also authorization 
saltedJdbcRealm.permissionsLookupEnabled = true 

# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?" 
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM crm_users WHERE disabled = false AND username = ? 

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?" 
saltedJdbcRealm.userRolesQuery = SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ? 

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?" 
saltedJdbcRealm.permissionsQuery = SELECT action FROM crm_permissions WHERE role = ? 

# password hashing specification, put something big for hasIterations 
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher 
sha256Matcher.hashAlgorithmName = SHA-256 
sha256Matcher.hashIterations = 1 
saltedJdbcRealm.credentialsMatcher = $sha256Matcher 
securityManager.realms = $saltedJdbcRealm 

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml 
securityManager.cacheManager = $cacheManager 

dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter 
dsFilter.loginUrl = /login.xhtml 

roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter 

[urls] 
/login.xhtml = dsFilter 
/backend/** = dsFilter, roles[backend] 
/affiliate/** = dsFilter, roles[affiliate] 
/api/** = noSessionCreation, dsFilter 
/logout = logout

來源

2013-01-07 05:13:04 czetsuya

相關問題

 相關問題