Spring+shiro session与线程池的坑

Posted 2022-02-11 ytxiao

在java web编程中，经常使用shiro来管理session，也确实好用

1. shiro来获取session的方式

SecurityUtils.getSubject().getSession()

其中SecurityUtils的getSubject代码如下

/**
     * Returns the currently accessible @code Subject available to the calling code depending on
     * runtime environment.
     * <p/>
     * This method is provided as a way of obtaining a @code Subject without having to resort to
     * implementation-specific methods.  It also allows the Shiro team to change the underlying implementation of
     * this method in the future depending on requirements/updates without affecting your code that uses it.
     *
     * @return the currently accessible @code Subject accessible to the calling code.
     * @throws IllegalStateException if no @link Subject Subject instance or
     *                               @link SecurityManager SecurityManager instance is available with which to obtain
     *                               a @code Subject, which which is considered an invalid application configuration
     *                               - a Subject should <em>always</em> be available to the caller.
     */
    public static Subject getSubject() 
        Subject subject = ThreadContext.getSubject();
        if (subject == null) 
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        
        return subject;
    

　　

 

Subject subject = ThreadContext.getSubject();

获取进程上下文，这个存在了问题，如果在使用线程池，获取的就是线程池里面的session，如果线程池为配置过期时间，那么线程池里面的线程一直不变，就会出现在线程池里面getsession就会是上一次的session，导致获取session失败

 

线程池原理可参考

https://www.cnblogs.com/ytxiao/articles/11081136.html