Shiro:会话已失效
我在 Web 应用程序中使用 Apache Shiro。登录和身份验证检查工作正常,但我在实现注销/重新登录机制时遇到问题:注销是在 servlet 中完成的:
private void logout(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
log.debug("do logout");
Subject subject = SecurityUtils.getSubject();
subject.logout();
resp.sendRedirect("end.html");
}
但是在注销并重新登录后,我收到以下错误:
org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException:
getAttribute: Session already invalidated
at org.apache.shiro.web.session.HttpServletSession.removeAttribute(HttpServletSession.java:167)
at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
登录完成于以下方式(在 UI 组件的方法中,我使用 ZK 作为 UI 框架):
private void tryLogin(UsernamePasswordToken token) {
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
...
我不理解异常,因为从 shiro 注销会使会话无效,重新登录应该访问新会话。
I am using Apache Shiro in a web-application. The login and authentication check works well, but I have a problem to implement a logout / re-login mechanism: The logout is done in a servlet:
private void logout(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
log.debug("do logout");
Subject subject = SecurityUtils.getSubject();
subject.logout();
resp.sendRedirect("end.html");
}
But after a logout and re-login I get the following error:
org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException:
getAttribute: Session already invalidated
at org.apache.shiro.web.session.HttpServletSession.removeAttribute(HttpServletSession.java:167)
at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
The login is done in the following way (in a method of a UI component, I use ZK as UI framework):
private void tryLogin(UsernamePasswordToken token) {
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
...
I do not understand the exception as the logout from shiro invalidates the session and the re-login should access a new session.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在 1.2 版本之前的 Shiro 中,如果有人(或其他东西)在调用
Subject.logout()之前使会话无效(例如httpSession.invalidate(),然后 <代码>subject.logout())。这已作为 SHIRO-298 中的错误提出,并且已经在 1.2.0-SNAPSHOT 版本中已解决。您可以使用当前快照版本之一,也可以在 Shiro 1.2.0 发布后使用它。
This will occur in Shiro before version 1.2 if someone (or something else) invalidates the session before
Subject.logout()is invoked (e.g.httpSession.invalidate()and thensubject.logout()).This has been raised as a bug in SHIRO-298 and it has already been resolved in 1.2.0-SNAPSHOT builds. You can use one of the current snapshot builds or use Shiro 1.2.0 when it is released.
看起来您的 UI 框架在注销后没有重新生成会话。
您可以尝试在登录调用之前调用 subject.getSession() 强制创建新会话。像这样的东西:
it looks like your UI framework is not regenerating the session after logout.
You can try to force a new the session calling subject.getSession() just before the login call. Something like this: