Search code examples
javasessionjbossshiro

Shiro Session logout not working

I'm working in a project where we are using Apache Shiro for security. Now, I'm not sure if the problem is in the Shrio configuration or if it is somewhere else.

What happens is, that when a User has entered the credentials and is authenticated with basic auth, the values for username and password are preserved until the browser has been shutdown. I've tried this in Firefox and Chrome and it is the same behaviour.

From what I understand this sounds like the Shiro "RememberMe" function, but I "think" I've shut this off.

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    UsernamePasswordToken upToken = (UsernamePasswordToken) token;
    logger.info("Remember Me active ? {}", upToken.isRememberMe());

Prints: 09:44:00,323 INFO [TestRealm] Remember Me active ? false

I've also tried using the Shiro logout configured in the shiro.ini file

[main]
...
logout.redirectUrl = /logout.jsp

...
[url]
/logout = logout

The logout.jsp looks as follows:

<%@ page import="org.apache.shiro.SecurityUtils" %>
<% SecurityUtils.getSubject().logout();%>
You have succesfully logged out.

Non of this helps, the session is still active as long the browser has not been shutdown. When on the logout page, using Chrome-developer, I can see that the cookie is removed in the resources.

The shiro.ini complete file

[main]
authBasicRealm = se.test.TestRealm
securityManager.realms = $authBasicRealm
#builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $builtInCacheManager

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager.sessionIdCookieEnabled = false

# cookie for single sign on 
cookie = org.apache.shiro.web.servlet.SimpleCookie 
cookie.name = test.session
cookie.path = /test
cookie.maxAge = 60
#cookie.secure = true
cookie.httpOnly = false
sessionManager.sessionIdCookie = $cookie

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO

securityManager.sessionManager = $sessionManager

logout.redirectUrl = /logout.jsp

[users]
# format: username = password, role1, role2, ..., roleN
admin = admin, 4
user = user, 2
[roles]
admin = *
user = *
#User Get Specified
1 = 1
#User Get All
2 = 1
#Create Put Update
3 = 2:*
#Admin
4 = admin:*
test = 2:*
[urls]
/logout = logout
/** = authcBasic

Best, Henrik

Solution

  • There muust be some probelm in configuration you can try a demo app from https://github.com/dominicfarr/skybird-shiro and check if it works.