Reputation: 193
Shiro Session logout not working
I'm working in a project where we are using Apache Shiro for security. Now, I'm not sure if the problem is in the Shrio configuration or if it is somewhere else.
What happens is, that when a User has entered the credentials and is authenticated with basic auth, the values for username and password are preserved until the browser has been shutdown. I've tried this in Firefox and Chrome and it is the same behaviour.
From what I understand this sounds like the Shiro "RememberMe" function, but I "think" I've shut this off.
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
logger.info("Remember Me active ? {}", upToken.isRememberMe());
Prints: 09:44:00,323 INFO [TestRealm] Remember Me active ? false
I've also tried using the Shiro logout configured in the shiro.ini file
[main]
...
logout.redirectUrl = /logout.jsp
...
[url]
/logout = logout
The logout.jsp looks as follows:
<%@ page import="org.apache.shiro.SecurityUtils" %>
<% SecurityUtils.getSubject().logout();%>
You have succesfully logged out.
Non of this helps, the session is still active as long the browser has not been shutdown. When on the logout page, using Chrome-developer, I can see that the cookie is removed in the resources.
The shiro.ini complete file
[main]
authBasicRealm = se.test.TestRealm
securityManager.realms = $authBasicRealm
#builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $builtInCacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager.sessionIdCookieEnabled = false
# cookie for single sign on
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = test.session
cookie.path = /test
cookie.maxAge = 60
#cookie.secure = true
cookie.httpOnly = false
sessionManager.sessionIdCookie = $cookie
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
securityManager.sessionManager = $sessionManager
logout.redirectUrl = /logout.jsp
[users]
# format: username = password, role1, role2, ..., roleN
admin = admin, 4
user = user, 2
[roles]
admin = *
user = *
#User Get Specified
1 = 1
#User Get All
2 = 1
#Create Put Update
3 = 2:*
#Admin
4 = admin:*
test = 2:*
[urls]
/logout = logout
/** = authcBasic
Best, Henrik
Upvotes: 1
Views: 2720
Answers (1)
Reputation: 6786
There muust be some probelm in configuration you can try a demo app from https://github.com/dominicfarr/skybird-shiro and check if it works.
Upvotes: 2
Related Questions
- Shiro - redirect to login page after session timeout
- How to correct Shiro logout code (user can still access pages after log out is executed)?
- Shiro: Session already invalidated
- Session Expires Immediately With Shiro 1.3.2 and JBoss EAP 7.1 Combination
- Shiro: Cannot invalidate HttpSession
- Apache Shiro Login not working as intended (Session get created before login)
- Logout all still-logged-in users from WebApp using Shiro and Spring WebMVC (Java8, Spring 4.x)
- how to close shiro session
- Logout in Apache Shiro
- Apache Shiro session management on Spring