I'm using shiro (1.2.0) in a tapestry app. Right now I only want to use it for session management. While default session management (using ServletContainerSessionManager) works, when I try to switch to native sessions shiro stops keeping track of them:
public static WebSecurityManager decorateWebSecurityManager(WebSecurityManager manager) {
if(manager instanceof TapestryRealmSecurityManager) {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
MemorySessionDAO sessionDAO = new MemorySessionDAO();
sessionManager.setSessionDAO(sessionDAO);
((TapestryRealmSecurityManager) manager).setSessionManager(sessionManager);
}
return null;
}
Debug output:
07-08-12 17:47:57:339 - {TRACE} util.ThreadContext Thread [1072280360@qtp-1531443370-6]; Bound value of type [$WebSecurityManager_19518d48138a] for key [org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread [1072280360@qtp-1531443370-6]
07-08-12 17:47:57:339 - {TRACE} mgt.DefaultSecurityManager Thread [1072280360@qtp-1531443370-6]; Context already contains a SecurityManager instance. Returning.
07-08-12 17:47:57:339 - {TRACE} mgt.AbstractValidatingSessionManager Thread [1072280360@qtp-1531443370-6]; Attempting to retrieve session with key org.apache.shiro.web.session.mgt.WebSessionKey@1dc49089
07-08-12 17:47:57:339 - {DEBUG} servlet.SimpleCookie Thread [1072280360@qtp-1531443370-6]; Found 'JSESSIONID' cookie value [sbrxl74ij1v8]
07-08-12 17:47:57:339 - {DEBUG} mgt.DefaultSecurityManager Thread [1072280360@qtp-1531443370-6]; Resolved SubjectContext context session is invalid. Ignoring and creating an anonymous (session-less) Subject instance.
org.apache.shiro.session.UnknownSessionException: There is no session with id [sbrxl74ij1v8]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
The problem was that i forgot to remove the @Persist annotations, which by default use sessions to store data. This caused tapestry to overwrite shiro's JSESSIONID cookie with it's own value.