Shiro throws an exception when session expires / invalidates

Question

I tried to use native sessions with Grails:

[main]
sessionManager = org.apache.shiro.session.mgt.DefaultSessionManager
securityManager.sessionManager = \$sessionManager

It works great until session is not found or invalidated.

1. Start server. Login

2. Restart server.

     org.apache.shiro.session.ExpiredSessionException: Session with id [3c3ffbef-ee93-4f6e-a599-1f1f4c03d037] has expired. Last access time: 29.10.14 12:18. Current time: 29.10.14 12:18. Session timeout is set to 1 seconds (0 minutes) at org.apache.shiro.session.mgt.SimpleSession.validate(SimpleSession.java:292) at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doValidate(AbstractValidatingSessionManager.java:186) at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143) at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:120) at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108) at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112) at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:209) at org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141) at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149) at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSubjectPrincipal(ShiroHttpServletRequest.java:95) at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getUserPrincipal(ShiroHttpServletRequest.java:111) 

What's the point? Why Shiro throws an exception instead of processing it silently? It makes shiro sessions unusable.

It's funny that even logout doesn't work:
1. ShiroHttpServletRequest remembers principal's session
2. SecurityUtils.subject?.logout() invalidates principal's session
3. On processing response something accesses session ( request.getSession(false) ), it returns invalidated session => org.apache.shiro.session.UnknownSessionException

There is no session with id [86f8b1dc-0c16-4836-9564-c8cc3cc1c03a]. Stacktrace follows:
java.lang.IllegalStateException: org.apache.shiro.session.UnknownSessionException: There is no session with id [86f8b1dc-0c16-4836-9564-c8cc3cc1c03a]
    at org.apache.shiro.web.servlet.ShiroHttpSession.getAttribute(ShiroHttpSession.java:133)
    at grails.plugin.cache.web.filter.PageFragmentCachingFilter.doFilter(PageFragmentCachingFilter.java:195)
    at grails.plugin.cache.web.filter.AbstractFilter.doFilter(AbstractFilter.java:63)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

What's the correct way of using native Shiro sessions?

Answer 1

It looks like you are using the non-web session manager. This doesn't utilize httpsession stuff, which you would really want in a servlet environment like grails, because the webserver then helps you with invalidation of sessions or restoring them on a redeploy.

Use the DefaultWebSessionManager instead:

[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

It extends DefaultSessionManager, so anything you wanted to do with that, you can do with the web session manager.