Shiro UnknownSessionException after logout

Question

I'm currently working on a web application in JavaEE6 stack and I've integrated Shiro for security. I think the authentication and authorization is working properly now and I have 1 last problem.

When I logout, I'm encountering UnknownSessionException, here are my config and codes for inspection:

web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">

    <!-- Welcome page -->
    <welcome-file-list>
        <welcome-file>home.xhtml</welcome-file>
    </welcome-file-list>

    <listener>
        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>ShiroFilter</filter-name>
        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>ShiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <!-- Map these files with JSF -->
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.jsf</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.faces</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
</web-app>

shiro.ini

[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true

# If not filled, subclasses of JdbcRealm assume "select password from users where username  =  ?"
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery  =  SELECT password, salt FROM czetsuya_users WHERE username  =  ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username  =  ?"
saltedJdbcRealm.userRolesQuery  =  SELECT name FROM czetsuya_roles a INNER JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c ON c.id = b.user_id WHERE c.username  =  ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name  =  ?"
saltedJdbcRealm.permissionsQuery  =  SELECT action FROM czetsuya_permissions WHERE role  =  ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = saltedJdbcRealm

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = shiro-activeSessionCache
securityManager.sessionManager.sessionDAO = $sessionDAO

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager

sessionValidationScheduler  =  org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds  =  30 mins
sessionValidationScheduler.interval = 1800000
securityManager.sessionManager.sessionValidationScheduler  =  $sessionValidationScheduler

securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya
# 1,800,000 milliseconds = 30 mins
securityManager.sessionManager.globalSessionTimeout = 1800000 

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml
securityManager.cacheManager = $cacheManager

czetsuyaFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
czetsuyaFilter.loginUrl = /faces/login.xhtml
czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml
# logout.redirectUrl = /faces/login.xhtml

[urls]
/login.xhtml = czetsuyaFilter
/secure/** = czetsuyaFilter
/api/** = noSessionCreation, czetsuyaFilter
# /logout = logout

The part where I invoke logout:

public String logout() {
    Subject subject = SecurityUtils.getSubject();
    if (subject != null) {
        subject.logout();
    }

    return "/home.xhtml?faces-redirect=true";
}

Thanks,
czetsuya

Answer 1

The problem with this configuration is the line:

securityManager.sessionManager.globalSessionTimeout = 1800000 

It should be comment out. It's not working on shiro's native session.

Or an alternative would be to use the HttpSession (not shiro). Here's the config file:

[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dropshipDS 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true

# If not filled, subclasses of JdbcRealm assume "select password from users where username  =  ?"
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery  =  SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username  =  ?"
saltedJdbcRealm.userRolesQuery  =  SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name  =  ?"
saltedJdbcRealm.permissionsQuery  =  SELECT action FROM crm_permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager

dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
dsFilter.loginUrl = /login.xhtml

roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter

[urls]
/login.xhtml = dsFilter
/backend/** = dsFilter, roles[backend]
/affiliate/** = dsFilter, roles[affiliate]
/api/** = noSessionCreation, dsFilter
/logout = logout