最近做了一个项目,要用到shiro,做完之后发现有个异常经常发生org.apache.shiro.session.UnknownSessionException: There is no session with id ,经过多天的研究,终于得以解决


登录的时候异常信息:

org.apache.shiro.session.UnknownSessionException: There is no session with id [4e8fe40a-6347-4c53-b273-829889656f6e]
	at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:209)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)[251:org.apache.shiro.core:1.2.3]
	at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:149)[251:org.apache.shiro.core:1.2.3]



为何找不到呢,原因是这样的。

当用户登录的时候,web容器tomcat或者jetty会在线程池里面启用线程调度,线程里面找到对应的servlet,shiro登录的时候代码如下

<span style="white-space:pre">	</span>Subject currentUser = SecurityUtils.getSubject();
        
        String sessionId = "";

        if (!currentUser.isAuthenticated()) {
              UsernamePasswordToken token = new UsernamePasswordToken(username, DigestUtils.md5Hex(passwd));
              token.setRememberMe(true);
              currentUser.login(token);
         }


方法SecurityUtils.getSubject()源码是这样

public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
}


我们清楚的看到subject是从ThreadContext获取,创建过就直接从里面获取,没有创建的话就重新创建一个subject,然后绑定到ThreadContext,调用subject获取session的时候,他会去创建一个session,并且把session缓存起来,操作方法是在AbstractSessionDAO类里面,跟踪得知这里放的是subject的代理对象。如果session超时时间设置过短的话,在用户登录的时候,随着web容器分配的线程,很大的机会会分配之前的线程,而之前的线程绑定过了subject,subject没有失效,subejct对象里面的session也没有什么问题,但是session缓存里面的session失效了,用户登录的时候执行到currentuser.login(token)这个方法,他拿着之前的session,那后要去缓存里面读取,但是已经失效了,所以会报上面那个异常。


问题就是出现在这里,subject绑定到thread上下文里面,subject对象的session是个代理对象,正真的session是放在缓存里面,web容器随机分配的线程有可能绑定过subject,一旦session失效,就会报错。


解决的办法是在shiro去读取session之前判断有没有失效,如果失效移除ThreadContext里面的subject,并且删除缓存里面的session,代码如下

@Override
    public String login(String username, String passwd) {
        
        Subject currentUser = SecurityUtils.getSubject();
        //提前1秒去判断   防止这个if没进  等执行下面的时候它却失效了  <span style="font-family: Arial, Helvetica, sans-serif;">lengthenTimeOut是失效时间</span>

        if((System.currentTimeMillis()-currentUser.getSession().getStartTimestamp().getTime())>=lengthenTimeOut-1000){
            ThreadContext.remove(ThreadContext.SUBJECT_KEY);//移除线程里面的subject
            shiroSessionManager.getSessionDAO().delete(currentUser.getSession());//移除失效的session
            currentUser = SecurityUtils.getSubject();//重新获取subject
        }
        
        String sessionId = "";
try {
            if (!currentUser.isAuthenticated()) {
                UsernamePasswordToken token = new UsernamePasswordToken(username, DigestUtils.md5Hex(passwd));
                token.setRememberMe(true);
                currentUser.login(token);
            }
           
            sessionId = currentUser.getSession().getId().toString();
            

        } catch (ExcessiveAttemptsException ex) {
            log.info(username + "帐号被锁定1小时!", ex);
        } catch (UnknownAccountException uae) {
            log.info(username + "账户不存在!", uae);
        } catch (IncorrectCredentialsException ice) {
            log.info(username + "密码不正确!", ice);
        } catch (LockedAccountException lae) {
            log.info(username + "账户被禁了!", lae);
        } catch (AuthenticationException ae) {
            log.info(username + "用户名或密码错误!", ae);
        } catch (UnknownSessionException ue) {
            log.info("登录session失效" + sessionId, ue);
            
        }

        log.info("登录成功返回的sessionId+++++++++++++" + sessionId);
        return sessionId;
    }