Shiro Logout - org.apache.shiro.session.UnknownSessionException

Question

我目前对Apache的注销有一个问题：

我的Shiro.ini

[main]
#### Session
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
#sessionIdCookie.path = /
sessionIdCookie.httpOnly = true
sessionIdCookie.name = sid
sessionIdCookie.domain = localhost
sessionIdCookie.maxAge=28800000
sessionIdCookie.secure = true
sessionIdCookie.sameSite = NONE

sessionManager=org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager=$sessionManager
# Session Timeout nach 8 Stunden
sessionManager.globalSessionTimeout= 28800000

sessionListener1= de.dpunkt.myaktion.util.MySessionListener1
sessionManager.sessionListeners=$sessionListener1

# Session validation = 5 minutes
sessionManager.sessionValidationInterval = 300000


#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionMode=native


sessionValidationScheduler=org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 60000
sessionValidationScheduler.sessionManager=$sessionManager
sessionManager.sessionValidationScheduler=$sessionValidationScheduler
sessionManager.deleteInvalidSessions=true
#sessionFactory=org.apache.shiro.session.mgt.OnlineSessionFactory
#sessionManager.sessionFactory=$sessionFactory
#securityManager.subjectDAO.sessionStorageEvaluator.sessionStorageEnabled = false




# password hashing specification, put something big for hasIterations
sha512Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha512Matcher.hashAlgorithmName=SHA-512
sha512Matcher.hashIterations=1

# Configure JDBC realm datasource.
...

# Realm for Token Login
....

# AuthStrategy
authenticator = org.apache.shiro.authc.pam.ModularRealmAuthenticator
authcStrategy = org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy

authenticator = org.apache.shiro.authc.pam.ModularRealmAuthenticator
securityManager.authenticator = $authenticator
securityManager.authenticator.authenticationStrategy = $authcStrategy
securityManager.realms = $jdbcRealm, $tcRealm 

# Caching
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager

# Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /common/login.jsf
authc.successUrl = /portal/dashboard.jsf


# Redirect to an access denied page if user does not have access rights
#[roles]
#roles.unauthorizedUrl = /common/access-denied.jsf
#perms.unauthorizedUrl = /accessdenied.jsp




## OTHER
/WEB-INF/layout/portal/** = authc
/portal/** = authc

这是我的控制员班：

    @SessionScoped
    @Named
    public class LoginBean implements Serializable {
    
    private Subject currentUserShiro;
    
        public void logout() {
    
            LOGGER.info("START logout");
    
            try {
    
                FacesContext facesContext = FacesContext.getCurrentInstance();
                HttpSession httpSession = (HttpSession) facesContext.getExternalContext().getSession(false);
                ServletContext application = httpSession.getServletContext();
      
                // Shiro User
                currentUserShiro.logout();
                currentUserShiro = null;
                
                FacesContext.getCurrentInstance().getExternalContext().redirect("/common/login.jsf"); 
    
    
            }
    
            catch (UnavailableSecurityManagerException e) {
                LOGGER.info("UnavailableSecurityManagerException");
            }
    
            catch (UnknownSessionException e) {
                LOGGER.info("Unknown Session");
            }
    
            catch (ExpiredSessionException e) {
                LOGGER.info("Session is expired");
            }
    
            catch (StoppedSessionException e) {
                LOGGER.info("Session stopped");
            }
    
            catch (NullPointerException e) {
            }
    
            catch (Exception e) {
                LOGGER.error(ExceptionUtils.getFullStackTrace(e));
            }
    
            LOGGER.info("END logout");
        }

在我按下注销按钮后，我会得到以下错误消息：

不存在id [32767ef1-b285-4dc3-8 ]的会话。

这里有人能帮忙吗？有什么我没考虑过的吗？似乎注销是成功的，用户无法返回并拥有相同的权限，但每次我都会得到这个异常。

Answer 1

好吧，你叫注销会话是关于一个不为Shiro所知的话题。

要获得当前主题，请使用Subject currentUser = SecurityUtils.getSubject(); --与调用`currentUser.login(令牌)的登录方法相同。

现在，使用注销方法，只需使用：

  Subject currentUser = SecurityUtils.getSubject();
  currentUser.logout();

..。再加一次接球。

尽管如此，看看是否可以消除实例字段private Subject currentUserShiro。不应该需要它(至少在您展示给我们的代码中是这样)。

参考资料：

https://shiro.apache.org/subject.html