[SHIRO-512] Race condition in Shiro's web container session timeout handling - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Resolved
Affects Version/s: 1.2.2, 1.2.3
Fix Version/s: 2.0.0-alpha, 1.10.0
Component/s: Authentication (log-in)
Labels:
None

Description

I cannot find anywhere that Shiro uses HttpSessionListener to trap sessionDestroyed event from the container.
I believe this is leading to a rare race condition in my application, as Shiro thinks the session is still active,
but in reality, the web session has been destroyed.

Code: SecurityUtils.getSubject().getPrincipal();

Relevant bit of stack trace:

Caused by: org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: PWC2778: getAttribute: Session already invalidated
at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148)
at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149)

Link to the mailing list thread:
http://shiro-user.582556.n2.nabble.com/Possible-race-condition-in-Shiro-s-web-container-session-timeout-handling-td7580138.html