Tomcat重新启动后，Apache Shiro isAuthenticated返回true

Question

I have a webapp deployed with Tomcat (8.0.32) and the login/logout operations work fine with each redeployment. However they do not work so well if I stop Catalina without redeploying the webapp ( ./catalina.sh stop and then ./catalina.sh start without any changes to the contents of the webapp folder). What happens is that method org.apache.shiro.subject.Subject.isAuthenticated() returns true right after the server starts but before the new login operation takes place .

More specifically, my implementation of javax.servlet.Filter.doFilter starts with the following line:

if(org.apache.shiro.SecurityUtils.getSubject().isAuthenticated()) ...

which returns true right after the server restarted but before the new login. Shiro's version is 1.3.0.

Therefore I was wondering if I am missing something, eg is there any operation that must be performed before, or is this the wrong way to use this method? Thank you for your attention.

Answer 1

I'm not sure how your Shiro configuration looks like but depending on your implementation Shiro by default sets a cookie which still can be valid after your server restarts.

Depending on your SessionManager implementation, you can set a globalSessionTimeout and sessionValidationInterval . The default session timeout is set to 1800000L (30 minutes). See AbstractSessionManager and DefaultWebSessionManager . Example implementation:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# Session timeout token_ttl_ms = 14 days
sessionManager.globalSessionTimeout = 1209600000
# Session valdiation = 15 minutes
sessionManager.sessionValidationInterval = 900000

If you don't want to use any cookie, you can disable it by setting the following property in your SecurityManager config and skip the session management by the SessionManager completely:

securityManager.sessionManager.sessionIdCookieEnabled = false