Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-486

HttpSessionBindingListener not called when session expires

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.2.1, 1.2.2
    • Fix Version/s: None
    • Component/s: Session Management
    • Labels:
      None
    • Environment:
      jdk7

      Description

      I posted this in the user mailing list, but after some debugging I think it is a bug in shiro's native session management: It seems that the HttpSessionBindingListener that spring installs is not called on destroy, so Spring is not able to delete session-scoped beans.

      From the mailing list post:

      I'm having problems with session-scoped beans like this one

      @Named
      @Scope(proxyMode = ScopedProxyMode.TARGET_CLASS, value = "session")
      public class SessionBean {

      @PostConstruct
      public void init()

      @PreDestroy
      public void destroy()
      }

      Using Shiro's default "ServletContainerSessionManager" both methods are called as expected, but when I switch to native session management with DefaultWebSessionManager the pre-destroy method is never called (post construct gets called). The validationScheduler runs, and the globalSessionTimeout has been set.

      Anyone knows whats happening here ? I've uploaded a small example project as an attachement (just comment out the sessionManager in applicationContext.xml to see the working @PreDestroy).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              x1000 Steve
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: