How to fix apache shiro unknown session exception on logout action

1
votes

I have ADF web application developed using Jdeveloper 12.1.3 version, Glassfish server 3.1.2 version and Apache Shiro for security.

Login action and application security are working fine, but not logout action.

After logged out from application, it should be redirected to login page. But it throws

"javax.servlet.ServletException: java.lang.IllegalStateException: org.apache.shiro.session.UnknownSessionException: There is no session with id" error.

Logout action method code is

public String logout() throws IOException {

    try {
        ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
        externalContext.invalidateSession();
        SecurityUtils.getSubject().logout();
    } catch (Exception e) {
        FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_ERROR, e.getMessage(), "");
        FacesContext.getCurrentInstance().addMessage(null, msg);
        e.printStackTrace(); // TODO: logger.
    }
    return "";
}

Do I miss anything ?

1
oracle-adfglassfish-3shiro

1 Answers

0
votes

It looks like you invalidating the session and then calling logout. Have you tried logging out first? Or something like:

Subject subject = SecurityUtils.getSubject();
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
externalContext.invalidateSession();
subject.logout();

Otherwise, it looks like you are trying to get the current subject from an empty session.