Destroy SessionScoped CDI beans during Shiro logout

0
votes

The problem is that the session scoped beans are not destroyed before the session-timeout is reached.

Therefore I have two questions regarding the following logout procedure:

  1. Is this the right way to use shiro logout (see logout() below)
  2. What would be the proper way to destroy the CDI session-scoped beans during logout.

page.xhtml:

<p:commandLink ajax="false" actionListener="#{myOtherBean.logout}" />

beans:

@Named
@SessionScoped
public class mySessionBean implements Serializable {
}

@Named
@SessionScoped
public class myOtherBean extends Observable implements Serializable {
    @Inject
    private Subject subject;

    public void logout(){

      subject.logout();

// this line throws the exception
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

      FacesContext.getCurrentInstance().getExternalContext()
            .redirect(servlet.getContextPath() + "/logout");
    }
}

shiro.ini:

[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
....
logout=org.apache.shiro.web.filter.authc.LogoutFilter
logout.redirectUrl = /login.xhtml

....
[urls]
/logout = logout

Exception:

The following exception is thrown when I call FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

 java.lang.IllegalStateException:
 org.apache.shiro.session.UnknownSessionException:
 There is no session with id [e5939658-c033-4e67-984f-23cadfbc06fb]

Additional information: I am running Wildfly 8.2.0.Final.

Thanks.

1
javasessionwildflywildfly-8shiro
you're sure it's throwing that on the invalidateSession line? seems more likely it would throw it on subject.logout().teacurran
Yes, since you asked I checked it again and I'm sure.sinclair
From the shiro docs, the logout automatically destroys the session. So you are trying to invalidate a destroyed session. Just remove the invalidate Session line and you are fine.kaiser

1 Answers

0
votes

Here is the code I am using in my project to do this, perhaps it is because your bean is SessionScoped and mine is ViewScoped?:

@Named
@ViewScoped
public class Authenticator implements Serializable {

    public void logout() {
        SecurityUtils.getSubject().logout();
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        FacesContext.getCurrentInstance().getExternalContext().redirect(LOGIN_URL);
    }
}