I need to change the default session time out in my jsf application that uses shiro for security and session management. It defaults to 30 minutes.
Following is my shiro configuration
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
[main]
authc = com.foo.bar
authcRealm = com.foo.barAuthenticatingRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 20000
unAuthc = com.foo.UnauthorisedFilter
/** = authc
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
On using the above config, I am logged out immediately on login. Removing the following lines defaults the timeout to 30 mins
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 20000
Well after trying to search on the net and failing, and failing here too, I finally managed to find a way (sort of hack and not the best way). Here it goes
Shiro by default creates a security manager of the type DefaultWebSecurityManager
, so went ahead to extend it. Intercepted its createSubject()
method and set the timeout there as follows
public class SecurityManager extends DefaultWebSecurityManager {
@Override
public Subject createSubject(SubjectContext subjectContext) {
Subject subject = super.createSubject(subjectContext);
subject.getSession().setTimeout(10 * 60 * 1000);
return subject;
}
}
Then assigned this SecurityManager
to sessionManager
(Very strange why they call a security manager a session manager, i wasted a lot of time before figuring this out) in the config as follows
[main]
authc = com.foo.bar
authcRealm = com.foo.barAuthenticatingRealm
sessionManager = com.foo.securityManager
unAuthc = com.foo.UnauthorisedFilter
/** = authc
I don't think this is the only way to do it, I am sure there are much better ways, probably less hacky, better performant, but this worked for me, without any noticeable performance hit (though I did observe this method getting called several times, probably once per http request). Please leave another answer if you know of a better way, and I'll be more than happy to re accept a better solution.