buji-pac4j: Setting session timeout

[Jonathan Labin]

I am trying to set the Shiro session timeout.

The Shiro Documentation states:

securityManager.sessionManager.globalSessionTimeout = 3600000

However this results in an exception:

org.apache.shiro.config.ConfigurationException: Property 'sessionManager.globalSessionTimeout' does not exist for object of type org.apache.shiro.web.mgt.DefaultWebSecurityManager.

Various answers around the web indicate other lines are necessary:

 sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
 securityManager.sessionMode=native
 securityManager.sessionManager.globalSessionTimeout = 60000
 securityManager.sessionManager = $sessionManager

I have tried various combinations of the above lines in various order but the result is a "Too Many Redirections" reported by the browser.

The log shows a rapid sequence of alternating  SERVICE_TICKET_CREATED followed by SERVICE_TICKET_VALIDATED.

Is there a different class that should be specified as the sessionManager when using buji-pac4j?

[Jérôme LELEU]

Hi,

This should work, whatever the session configuration. That said, we heavily interact with the session (https://github.com/bujiio/buji-pac4j/blob/master/src/main/java/io/buji/pac4j/context/ShiroSessionStore.java).

So I'll do some tests and keep you posted.

Thanks.

Best regards,

Jérôme 

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jérôme LELEU]

Hi,

The session manager is the ServletContainerSessionManager by default in the DefaultWebSecurityManager, which just delegates the session management to the container. Thus, this property does not exist.

The session mode is deprecated and using "native" leads to instantiate a ServletContainerSessionManager, which is definitely not what we want here.

Thus, using the following configuration, it works:

# test:
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.globalSessionTimeout = 3600000
securityManager.sessionManager = $sessionManager

I'm using buji-pac4j-demo on master (https://github.com/pac4j/buji-pac4j-demo).

Is there something wrong with your CAS configuration/communication? This issue may arise if you don't succeed in validating the CAS service tickets (provided to the application) directly to the CAS server.

Thanks.

Best regards,

Jérôme

[Jonathan Labin]

Thanks for the help.

I have successfully added these lines to the demo project without issue.

But I am still having the issue with my real application.

I am currently in the process of isolating the difference between the two.  I have just updated my application to the same versions of shiro, pac4j and buji-pac4j as the demo project uses.

Without the timeout lines I see the following in the log:

2017-02-15T15:49:11.033+0000|Info: 2017-02-15 15:49:11,032 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Context already contains a session.  Returning.
2017-02-15T15:49:11.033+0000|Info: 2017-02-15 15:49:11,032 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.apache.shiro.subject.support.DefaultSubjectContext | No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
2017-02-15T15:49:11.033+0000|Info: 2017-02-15 15:49:11,033 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.apache.shiro.web.servlet.SimpleCookie | Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/MyApplication; Max-Age=0; Expires=Tue, 14-Feb-2017 15:49:11 GMT]
2017-02-15T15:49:11.034+0000|Info: 2017-02-15 15:49:11,033 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.apache.shiro.mgt.AbstractRememberMeManager | AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2017-02-15T15:49:11.034+0000|Info: 2017-02-15 15:49:11,033 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultCallbackLogic | redirectUrl: https://myhost:8181/MyApplication/
2017-02-15T15:49:11.092+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | === SECURITY ===
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | url: https://myhost:8181/MyApplication/
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | matchers: null
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | clients: CasClient
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | currentClients: [#CasClient# | callbackUrl: callback?client_name=CasClient | configuration: #CasConfiguration# | loginUrl: https://myhost:8181/cas | prefixUrl: https://myhost:8181/cas | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: org.pac4j.cas.logout.CasSingleSignOutHandler@15ddc263 | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | |]
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | loadProfilesFromSession: true
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | profiles: [#CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 15:49:10 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [MyRole] | permissions: [mypermission] | isRemembered: false |]
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | authorizers: null
2017-02-15T15:49:11.093+0000|Info: 2017-02-15 15:49:11,087 DEBUG [Process 65316@MYHOST:19] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | authenticated and authorized -> grant access

When I add the server timeout lines, I see the following log lines instead:

2017-02-15T15:54:26.322+0000|Info: 2017-02-15 15:54:26,321 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Context already contains a session.  Returning.
2017-02-15T15:54:26.323+0000|Info: 2017-02-15 15:54:26,321 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.subject.support.DefaultSubjectContext | No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
2017-02-15T15:54:26.323+0000|Info: 2017-02-15 15:54:26,322 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.web.servlet.SimpleCookie | Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/MyApplication; Max-Age=0; Expires=Tue, 14-Feb-2017 15:54:26 GMT]
2017-02-15T15:54:26.325+0000|Info: 2017-02-15 15:54:26,322 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.mgt.AbstractRememberMeManager | AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2017-02-15T15:54:26.325+0000|Info: 2017-02-15 15:54:26,323 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultCallbackLogic | redirectUrl: https://myhost:8181/MyApplication/
2017-02-15T15:54:26.367+0000|Info: 2017-02-15 15:54:26,366 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.web.servlet.SimpleCookie | Found 'JSESSIONID' cookie value [27b5db39919ebd515a08717b325b]
2017-02-15T15:54:26.382+0000|Info: 2017-02-15 15:54:26,367 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Resolved SubjectContext context session is invalid.  Ignoring and creating an anonymous (session-less) Subject instance. 
org.apache.shiro.session.UnknownSessionException: There is no session with id [27b5db39919ebd515a08717b325b]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:148)
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getSession(AbstractNativeSessionManager.java:140)
at org.apache.shiro.mgt.SessionsSecurityManager.getSession(SessionsSecurityManager.java:156)
at org.apache.shiro.mgt.DefaultSecurityManager.resolveContextSession(DefaultSecurityManager.java:460)
at org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:446)
at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342)
at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:845)
at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:147)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:413)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:283)
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:206)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:180)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
at java.lang.Thread.run(Thread.java:745)
2017-02-15T15:54:26.389+0000|Info: 2017-02-15 15:54:26,374 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | === SECURITY ===
2017-02-15T15:54:26.389+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | url: https://myhost:8181/MyApplication/
2017-02-15T15:54:26.389+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | matchers: null
2017-02-15T15:54:26.389+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | clients: CasClient
2017-02-15T15:54:26.389+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | currentClients: [#CasClient# | callbackUrl: callback?client_name=CasClient | configuration: #CasConfiguration# | loginUrl: https://myhost:8181/cas | prefixUrl: https://myhost:8181/cas | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: org.pac4j.cas.logout.CasSingleSignOutHandler@7ced089b | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | |]
2017-02-15T15:54:26.389+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | loadProfilesFromSession: true
2017-02-15T15:54:26.390+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | profiles: []
2017-02-15T15:54:26.390+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | Starting authentication
2017-02-15T15:54:26.390+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.core.engine.DefaultSecurityLogic | requestedUrl: https://myhost:8181/MyApplication/
2017-02-15T15:54:26.398+0000|Info: 2017-02-15 15:54:26,389 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.session.mgt.DefaultSessionManager | Creating new EIS record for new session instance [org.apache.shiro.session.mgt.SimpleSession,id=null]
2017-02-15T15:54:26.398+0000|Info: 2017-02-15 15:54:26,398 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.apache.shiro.web.servlet.SimpleCookie | Added HttpServletResponse Cookie [JSESSIONID=b2ad10cb-56a9-40e4-8624-0f0f827452d5; Path=/MyApplication; HttpOnly]
2017-02-15T15:54:26.400+0000|Info: 2017-02-15 15:54:26,399 DEBUG [Process 67156@MYHOST:44] --- | --- | --- | org.pac4j.cas.client.CasClient | redirectionUrl: https://myhost:8181/cas?service=https%3A%2F%2Fmyhost%3A8181%2FMyApplication%2Fcallback%3Fclient_name%3DCasClient

And then it begins a loop of repeatedly obtaining a Service Ticket and then validating the service ticket with the same results as shown above.

As I said, I am working through trying to reduce my shiro configuration to match that of the sample project but if anything here jumps out at you, please let me know.

Thanks,

Jonathan Labin

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

[Jérôme LELEU]

Hi,

I don't see any logs from the callback filter. Can you turn on DEBUG logs on org.pac4.cas, org.apereo.cas and org.jasig.cas as well?

I see that no profile is retrieved from the context in the second use case.

It feels like the CAS authentication is performed and unproperly saved in the callback filter, making the security filter restart the login process.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Jonathan Labin]

Sorry I hadn't started copying early enough in the log to catch those:

2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,140 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.credentials.authenticator.CasAuthenticator | principal: test
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | identifier: test
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: isFromNewLogin / value: true / class java.lang.String
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: authenticationDate / value: Wed Feb 15 16:17:35 GMT+00:00 2017 / class java.lang.String
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: displayName / value: Sample User / class java.lang.String
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: name / value: Sample User / class java.lang.String
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: longTermAuthenticationRequestTokenUsed / value: false / class java.lang.String
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: memberOf / value: [sampleUsers] / class java.util.LinkedList
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.profile.CasProfile | no conversion => key: objectCategory / value: FixedAttribute / class java.lang.String
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.credentials.authenticator.CasAuthenticator | casProfile: #CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 16:17:35 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [] | permissions: [] | isRemembered: false |
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.core.engine.DefaultCallbackLogic | credentials: #TokenCredentials# | token: ST-10-0lrMlClHChzCzCDbEiBS-mydomain | clientName: CasClient |
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,141 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.client.CasClient | credentials : #TokenCredentials# | token: ST-10-0lrMlClHChzCzCDbEiBS-mydomain | clientName: CasClient |
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,142 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.cas.client.CasClient | profile: #CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 16:17:35 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [] | permissions: [] | isRemembered: false |
2017-02-15T16:17:35.148+0000|Info: 2017-02-15 16:17:35,142 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.core.engine.DefaultCallbackLogic | profile: #CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 16:17:35 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [MyRole] | permissions: [mypermission] | isRemembered: false |
2017-02-15T16:17:35.164+0000|Info: 2017-02-15 16:17:35,163 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.realm.AuthenticatingRealm | Looked up AuthenticationInfo [#Pac4jPrincipal# | profiles: [#CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 16:17:35 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [MyRole] | permissions: [mypermission] | isRemembered: false |] |] from doGetAuthenticationInfo
2017-02-15T16:17:35.164+0000|Info: 2017-02-15 16:17:35,164 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.realm.AuthenticatingRealm | AuthenticationInfo caching is disabled for info [#Pac4jPrincipal# | profiles: [#CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 16:17:35 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [MyRole] | permissions: [mypermission] | isRemembered: false |] |].  Submitted token: [io.buji.pac4j.token.Pac4jToken@33030abb].
2017-02-15T16:17:35.166+0000|Info: 2017-02-15 16:17:35,164 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.authc.credential.SimpleCredentialsMatcher | Performing credentials equality check for tokenCredentials of type [java.lang.Integer and accountCredentials of type [java.lang.Integer]
2017-02-15T16:17:35.166+0000|Info: 2017-02-15 16:17:35,165 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.authc.pam.ModularRealmAuthenticator | Realm [AuthzOnlyJpaRealm@1f9b1f6e] does not support token io.buji.pac4j.token.Pac4jToken@33030abb.  Skipping realm.
2017-02-15T16:17:35.168+0000|Info: 2017-02-15 16:17:35,166 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.authc.AbstractAuthenticator | Authentication successful for token [io.buji.pac4j.token.Pac4jToken@33030abb].  Returned account [#Pac4jPrincipal# | profiles: [#CasProfile# | id: test | attributes: {isFromNewLogin=true, authenticationDate=Wed Feb 15 16:17:35 GMT+00:00 2017, displayName=Sample User, name=Sample User, longTermAuthenticationRequestTokenUsed=false, memberOf=[sampleUsers], objectCategory=FixedAttribute} | roles: [MyRole] | permissions: [mypermission] | isRemembered: false |] |]
2017-02-15T16:17:35.168+0000|Info: 2017-02-15 16:17:35,167 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.subject.support.DefaultSubjectContext | No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
2017-02-15T16:17:35.168+0000|Info: 2017-02-15 16:17:35,167 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Context already contains a session.  Returning.
2017-02-15T16:17:35.168+0000|Info: 2017-02-15 16:17:35,168 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.subject.support.DefaultSubjectContext | No SecurityManager available in subject context map.  Falling back to SecurityUtils.getSecurityManager() lookup.
2017-02-15T16:17:35.170+0000|Info: 2017-02-15 16:17:35,168 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.web.servlet.SimpleCookie | Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/MyApplication; Max-Age=0; Expires=Tue, 14-Feb-2017 16:17:35 GMT]
2017-02-15T16:17:35.170+0000|Info: 2017-02-15 16:17:35,168 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.mgt.AbstractRememberMeManager | AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2017-02-15T16:17:35.185+0000|Info: 2017-02-15 16:17:35,169 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.pac4j.core.engine.DefaultCallbackLogic | redirectUrl: https://myhost:8181/MyApplication/
2017-02-15T16:17:35.215+0000|Info: 2017-02-15 16:17:35,214 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.web.servlet.SimpleCookie | Found 'JSESSIONID' cookie value [2909164c31e5cac8bc4babe4baf7]
2017-02-15T16:17:35.218+0000|Info: 2017-02-15 16:17:35,214 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Resolved SubjectContext context session is invalid.  Ignoring and creating an anonymous (session-less) Subject instance. 

and then the stack trace and looping after this.

[Jérôme LELEU]

Hi,

I don't like the latest line:

2017-02-15T16:17:35.218+0000|Info: 2017-02-15 16:17:35,214 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Resolved SubjectContext context session is invalid.  Ignoring and creating an anonymous (session-less) Subject instance. 

while we have this one just before:

2017-02-15T16:17:35.168+0000|Info: 2017-02-15 16:17:35,167 DEBUG [Process 67156@MYHOST:45] --- | --- | --- | org.apache.shiro.mgt.DefaultSecurityManager | Context already contains a session.  Returning.

Both logs come from the resolveSession method in the DefaultSecurityManager: it feels as if the session is lost.

Can you put a breakpoint at the beginning of this method and tell us about the caller (each time)?

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Jonathan Labin]

See attached log file for stack traces at that breakpoint.

[Jérôme LELEU]

Hi,

The breakpoint is at the right place, but what's the value of the context.resolveSession() (it should be called twice)?

Is there a way I can reproduce it? What's your application server? Can you share (even privately) a demo?

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Jonathan Labin]

Good news.

I worked through each of the differences between my application and the buji-pac4j-demo project (v2.1) and found one which induces the error behavior when applied to the buji-pac4j-demo.

I have a CAS Single Sign Out Filter configured in my web.xml as described in the java-cas-client documentation.

In my early efforts to use CAS this was required for my test applications to terminate sessions when the user logged out of CAS.

Is this feature already being provided elsewhere in the pac4j / buji-pac4j libraries such that this block is no longer need in the web.xml in order for applications to receive the logout callback from the CAS server?

[Jérôme LELEU]

Hi,

Yes, pac4j 1.9 and buji-pac4j 2.x already handle that thanks to the https://github.com/pac4j/pac4j/blob/1.9.x/pac4j-cas/src/main/java/org/pac4j/cas/logout/CasSingleSignOutHandler.java

You can use it instead.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Jonathan Labin]

But the org.jasig.cas.client.session.SingleSignOutFilter must still be configured in the web.xml for older versions (e.g. pac4j 1.8.7 buji-pac4j 1.4.3)?

[Jérôme LELEU]

Hi,

No, you don't need it. The CAS logout requests are already handled by the https://github.com/pac4j/pac4j/blob/1.8.x/pac4j-cas/src/main/java/org/pac4j/cas/logout/CasSingleSignOutHandler.java

In 1.8.x and 1.9.x, you nonetheless need the SingleSignOutHttpSessionListener to clean the session when no logout has been explicitly performed. This won't be the case anymore in 2.0.x.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.