Shiro 注销 - org.apache.shiro.session.UnknownSessionException答案

【问题标题】：Shiro Logout - org.apache.shiro.session.UnknownSessionExceptionShiro 注销 - org.apache.shiro.session.UnknownSessionException
【发布时间】：2022-01-24 05:21:01
【问题描述】：

我目前对 Apache Shiro 的注销有疑问：

这是我的 Shiro.ini

[main]
#### Session
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
#sessionIdCookie.path = /
sessionIdCookie.httpOnly = true
sessionIdCookie.name = sid
sessionIdCookie.domain = localhost
sessionIdCookie.maxAge=28800000
sessionIdCookie.secure = true
sessionIdCookie.sameSite = NONE

sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager=$sessionManager
# Session Timeout nach 8 Stunden
sessionManager.globalSessionTimeout= 28800000

sessionListener1= de.dpunkt.myaktion.util.MySessionListener1
sessionManager.sessionListeners=$sessionListener1

# Session validation = 5 minutes
sessionManager.sessionValidationInterval = 300000


#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionMode=native


sessionValidationScheduler=org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 60000
sessionValidationScheduler.sessionManager=$sessionManager
sessionManager.sessionValidationScheduler=$sessionValidationScheduler
sessionManager.deleteInvalidSessions=true
#sessionFactory=org.apache.shiro.session.mgt.OnlineSessionFactory
#sessionManager.sessionFactory=$sessionFactory
#securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false




# password hashing specification, put something big for hasIterations
sha512Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha512Matcher.hashAlgorithmName=SHA-512
sha512Matcher.hashIterations=1

# Configure JDBC realm datasource.
...

# Realm for Token Login
....

# AuthStrategy
authenticator = org.apache.shiro.authc.pam.ModularRealmAuthenticator
authcStrategy = org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy

authenticator = org.apache.shiro.authc.pam.ModularRealmAuthenticator
securityManager.authenticator = $authenticator
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $jdbcRealm, $tcRealm 

# Caching
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

# Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /common/login.jsf
authc.successUrl = /portal/dashboard.jsf


# Redirect to an access denied page if user does not have access rights
#[roles]
#roles.unauthorizedUrl = /common/access-denied.jsf
#perms.unauthorizedUrl = /accessdenied.jsp




## OTHER
/WEB-INF/layout/portal/** = authc
/portal/** = authc

这是我的控制器类：

    @SessionScoped
    @Named
    public class LoginBean implements Serializable {
    
    private Subject currentUserShiro;
    
        public void logout() {
    
            LOGGER.info("START logout");
    
            try {
    
                FacesContext facesContext = FacesContext.getCurrentInstance();
                HttpSession httpSession = (HttpSession) facesContext.getExternalContext().getSession(false);
                ServletContext application = httpSession.getServletContext();
      
                // Shiro User
                currentUserShiro.logout();
                currentUserShiro = null;
                
                FacesContext.getCurrentInstance().getExternalContext().redirect("/common/login.jsf"); 
    
    
            }
    
            catch (UnavailableSecurityManagerException e) {
                LOGGER.info("UnavailableSecurityManagerException");
            }
    
            catch (UnknownSessionException e) {
                LOGGER.info("Unknown Session");
            }
    
            catch (ExpiredSessionException e) {
                LOGGER.info("Session is expired");
            }
    
            catch (StoppedSessionException e) {
                LOGGER.info("Session stopped");
            }
    
            catch (NullPointerException e) {
            }
    
            catch (Exception e) {
                LOGGER.error(ExceptionUtils.getFullStackTrace(e));
            }
    
            LOGGER.info("END logout");
        }

按下注销按钮后，我收到以下错误消息：

org.apache.shiro.session.UnknownSessionException: 没有 id 为 [32767ef1-b285-4dc3-8 的会话

有人可以帮忙吗？有什么我没有考虑过的吗？似乎注销成功并且用户无法返回并拥有相同的权限，但每次我都收到此异常。

【问题讨论】：

您能否详细说明您是如何获得currentUserShiro的？
只是登录：currentUserShiro = sessionUserServiceBean.login(username, password); 功能“登录”比使用UsernamePasswordToken token = new UsernamePasswordToken(username, password);

标签： shiro

【解决方案1】：

好的，你在 Shiro 不知道的 Subject 上调用了注销会话。

要获取当前主题，请使用Subject currentUser = SecurityUtils.getSubject(); -- 与调用`currentUser.login(token);)的登录方法相同。

现在，使用注销方法，您只需要使用：

  Subject currentUser = SecurityUtils.getSubject();
  currentUser.logout();

...加上一个try-catch。

也就是说，看看您是否可以消除您的实例字段private Subject currentUserShiro。它不应该是必需的（至少在您向我们展示的代码中）。

参考：
https://shiro.apache.org/subject.html

【讨论】：