Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Resolved
-
1.2.2, 1.2.3
-
None
Description
I cannot find anywhere that Shiro uses HttpSessionListener to trap sessionDestroyed event from the container.
I believe this is leading to a rare race condition in my application, as Shiro thinks the session is still active,
but in reality, the web session has been destroyed.
Code: SecurityUtils.getSubject().getPrincipal();
Relevant bit of stack trace:
Caused by: org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: PWC2778: getAttribute: Session already invalidated
at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148)
at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149)
Link to the mailing list thread:
http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html
Attachments
Issue Links
- links to
