Apache Shiro : how to manually login and create session?

Question

I have succesfully applied how to integrate facebook user logins with facebook based on this article, which revolves around creating a custom auth-token, realm, auth info and an empty credential-matcher for facebook.

The problem i'm having right now is that although i can successfully do a login, i cannot seem to get the session started, as can be seen from my custom session storage. Note that using the 'normal-non-facebook' login works, the sessions are created.

My guess is that the problem has something to do with shiroFilter + the loginUrl being able to create the native session, and manually doing SecurityUtils.getSubject().login(token) cannot create the native session.

When i do this in hope to create the session after login manually :

SecurityUtils.getSubject().login(facebookToken);
SecurityUtils.getSubject().getSession(true);

I get this exception :

org.apache.shiro.subject.support.DisabledSessionException: Session creation has been disabled for the current subject. This exception indicates that there is either a programming error (using a session when it should never be used) or that Shiro's configuration needs to be adjusted to allow Sessions to be created for the current Subject. See the org.apache.shiro.subject.support.DisabledSessionException JavaDoc for more.

Here's my session related configs :

<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
    <property name="globalSessionTimeout" value="xxx" />
    <property name="sessionDAO" ref="sessionDAO" />
    <property name="sessionValidationSchedulerEnabled" value="false" />
    <property name="sessionIdCookie.domain" value="xxx.com" />
</bean>

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name="sessionMode" value="native" />
    <property name="realms">
        <list>
            <ref bean="mainRealm" />
            <ref bean="fbRealm" />
        </list>
    </property>
    <property name="sessionManager" ref="sessionManager" />
</bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager"/>
    <property name="loginUrl" value="/login"/>
    <property name="successUrl" value="/"/>
    <property name="unauthorizedUrl" value="/signup"/>
    <property name="filterChainDefinitions">
        <value>
            /login = ssl, authc
            /logout = noSessionCreation, logout
            /** = noSessionCreation, anon
        </value>
    </property>
</bean>

<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
    <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
    <property name="arguments" ref="securityManager"/>
</bean>

So in the end, how should i login in a way that automatically creates the session and returns the session cookie to the browser ?

Answer 1

It was the noSessionCreation filter that causes the exception.

I had to do req.setAttribute(DefaultSubjectContext.SESSION_CREATION_ENABLED, Boolean.TRUE); before doing the manual login to get the session created.

Now everything is working great !