Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-486

HttpSessionBindingListener not called when session expires

Agile BoardAttach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.2.1, 1.2.2
    • None
    • Session Management
    • None
    • jdk7

    Description

      I posted this in the user mailing list, but after some debugging I think it is a bug in shiro's native session management: It seems that the HttpSessionBindingListener that spring installs is not called on destroy, so Spring is not able to delete session-scoped beans.

      From the mailing list post:

      I'm having problems with session-scoped beans like this one

      @Named
      @Scope(proxyMode = ScopedProxyMode.TARGET_CLASS, value = "session")
      public class SessionBean {

      @PostConstruct
      public void init()

      @PreDestroy
      public void destroy()
      }

      Using Shiro's default "ServletContainerSessionManager" both methods are called as expected, but when I switch to native session management with DefaultWebSessionManager the pre-destroy method is never called (post construct gets called). The validationScheduler runs, and the globalSessionTimeout has been set.

      Anyone knows whats happening here ? I've uploaded a small example project as an attachement (just comment out the sessionManager in applicationContext.xml to see the working @PreDestroy).

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            x1000 Steve

            Dates

              Created:
              Updated:

              Slack

                Issue deployment