问题:
注销后出现Shiro UnknownSessionException
鞠安民
我目前正在JavaEE6堆栈中开发一个Web应用程序,并且我已经集成了Shiro以确保安全。我认为身份验证和授权现在工作正常,我还有最后一个问题。
当我注销时,我遇到UnknownSessionException,下面是我的配置和检查代码:
网络.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!-- Welcome page -->
<welcome-file-list>
<welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>
shiro. ini
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM czetsuya_users WHERE username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM czetsuya_roles a INNER JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM czetsuya_permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = saltedJdbcRealm
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = shiro-activeSessionCache
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds = 30 mins
sessionValidationScheduler.interval = 1800000
securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya
# 1,800,000 milliseconds = 30 mins
securityManager.sessionManager.globalSessionTimeout = 1800000
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml
securityManager.cacheManager = $cacheManager
czetsuyaFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
czetsuyaFilter.loginUrl = /faces/login.xhtml
czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml
# logout.redirectUrl = /faces/login.xhtml
[urls]
/login.xhtml = czetsuyaFilter
/secure/** = czetsuyaFilter
/api/** = noSessionCreation, czetsuyaFilter
# /logout = logout
我调用注销的部分:
public String logout() {
Subject subject = SecurityUtils.getSubject();
if (subject != null) {
subject.logout();
}
return "/home.xhtml?faces-redirect=true";
}
谢谢,
czetsuya
共有1个答案
司寇苗宣
此配置的问题在于以下行:
securityManager.sessionManager.globalSessionTimeout = 1800000
应该将其注释掉。在shiro的本地会话上不起作用。
或者另一种选择是使用HttpSession(而不是shiro)。以下是配置文件:
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dropshipDS
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM crm_permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager
dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
dsFilter.loginUrl = /login.xhtml
roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter
[urls]
/login.xhtml = dsFilter
/backend/** = dsFilter, roles[backend]
/affiliate/** = dsFilter, roles[affiliate]
/api/** = noSessionCreation, dsFilter
/logout = logout
类似资料:
-
我正在使用AWS Cognito,通过MobileHub与iOS应用程序集成,通过Facebook登录。一切正常,直到我注销现有身份并尝试使用另一个FB帐户登录(或甚至使用相同的帐户)。 在这种情况下,每次我调用任何AWS Lambda时,都会出现此错误: AWSiOSSDK v2.4.9[错误]AWSCredentialsProvider.m行:577。 [AWSCOgnitoredential
-
问题内容: 我正在使用基于表单的身份验证。 我有一个注销链接,看起来像: 以及相应的注销方法: 点击注销链接后,我返回首页,但似乎没有CSS。当我按下按钮进行搜索时,出现以下错误: 但是CSS实际上位于/ resources下,因为我了解我的web.xml,所以不需要身份验证: 从这种状态来看,我似乎能够再次登录并看到偶尔无法恢复的错误之间的 一些 数据,但是没有CSS。真的有点破。任何建议,将不
-
在我的本地开发Ubuntu框中,我使用MySQL和phpmyadmin来处理数据库。 每当phpmyadmin空闲1440秒(24分钟)时,会话将过期。我失去了我的位置,不得不登录并重新开始。 我尝试更改内的,但它仍然在1440秒内超时。 我已经重新启动了所有程序并清除了浏览器缓存(Firefox历史记录)- 我不知道为什么增加的超时没有生效。我做错了什么?
-
它给出: 下面是我使用的代码: 方法verifyUserExistance是; 我就是这样处理注销的;
-
我正试图在我的java webapp中实现WSO2单点注销功能<我无法理解这件事: 然后我为第一个服务提供商(SP)调用注销,IdP使用SAML响应将其重定向到某个注销url,SP收到此请求并使超文本传输协议会话无效。 第二个SP也使用SAML响应从IdP获取请求,但此请求中的http会话是IdP和SP之间的会话,我需要使web浏览器和SP之间的会话无效。我如何获取此会话?
-
任何帮助都会很好! 编辑:我正在使用Java 8
-
void unregister_outputfilter(string function_name) Use this to dynamically unregister an output filter. 动态注销一个输出过滤器。
-
您好,我在ADFS 2.0中面临以下单一注销问题。 我使用ADFS 2.0作为RST,另一个ADFS 2.0注册为声明提供程序,并配置为表单身份验证。 我有4个依赖方(RPs)托管在另一台IIS服务器上。 在对索赔提供者进行身份验证后,我正在打开IE中的所有4个RPs。注销第一次运行得非常好。但如果我再次登录并单击注销,则刷新后任何一个RP应用程序都会保持登录状态。我还可以看到,在ADFS/LS站