I am using Apache Shiro in a web-application. The login and authentication check works well, but I have a problem to implement a logout / re-login mechanism: The logout is done in a servlet:
private void logout(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
log.debug("do logout");
Subject subject = SecurityUtils.getSubject();
subject.logout();
resp.sendRedirect("end.html");
}
But after a logout and re-login I get the following error:
org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException:
getAttribute: Session already invalidated
at org.apache.shiro.web.session.HttpServletSession.removeAttribute(HttpServletSession.java:167)
at org.apache.shiro.session.ProxiedSession.removeAttribute(ProxiedSession.java:135)
at org.apache.shiro.subject.support.DelegatingSubject.clearRunAsIdentities(DelegatingSubject.java:424)
at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:246)
The login is done in the following way (in a method of a UI component, I use ZK as UI framework):
private void tryLogin(UsernamePasswordToken token) {
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
...
I do not understand the exception as the logout from shiro invalidates the session and the re-login should access a new session.
This will occur in Shiro before version 1.2 if someone (or something else) invalidates the session before
Subject.logout()is invoked (e.g.httpSession.invalidate()and thensubject.logout()).This has been raised as a bug in SHIRO-298 and it has already been resolved in 1.2.0-SNAPSHOT builds. You can use one of the current snapshot builds or use Shiro 1.2.0 when it is released.