Skip to content

GH-4033: Disable Shiro sessions#4038

Merged
afs merged 2 commits into
apache:mainfrom
afs:gh4033-shiro-session
Jul 7, 2026
Merged

GH-4033: Disable Shiro sessions#4038
afs merged 2 commits into
apache:mainfrom
afs:gh4033-shiro-session

Conversation

@afs

@afs afs commented Jul 3, 2026

Copy link
Copy Markdown
Member

GitHub issue resolved #4033
GitHub issue resolved #4037

Pull request Description:
Disable Shiro sessions and don't allocate in Jetty.


  • Key commit messages start with the issue number (GH-xxxx)

By submitting this pull request, I acknowledge that I am making a contribution to the Apache Software Foundation under the terms and conditions of the Contributor's Agreement.


See the Apache Jena "Contributing" guide.

}

/**
* Ensure a filename is formatted the way SHiro wants it.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Ensure a filename is formatted the way SHiro wants it.
* Ensure a filename is formatted the way Shiro wants it.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


ServletContextHandler servletContextHandler = (ServletContextHandler)(jettyServer.getHandler());
if ( servletContextHandler.getSessionHandler() == null ) {
SessionHandler sessionHandler = new SessionHandler();

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in the original issue is it possible to set a session timeout on the handler if we are creating one? Or is that not worth doing given the comments elsewhere that this support for sessions is likely temporary

@afs afs Jul 6, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fuseki is using only one part of Shiro's web support - the HTTP authentication and URL pattern matching. Sessions seem to be motivated by webapp sessions in JakartaEE. It is the linkage of Shiro Sessions to HTTP Sessions that seems to be the problem.

The Shiro filter code is in shiro-web-jakarata which brings in JarakaEE related code which Fuseki does not need.

I tried with timeouts on HTTP Sessions and adding a session listener that logs sessions being created every request, but wasn't seeing sessions being released. I didn't investigate too deeply because I think the long term is no Shiro sessions (Fuseki does not need them) and so strip out this code block. DISABLE_SESSIONS is , I hope, temporary. The cost is adding a servlet attribute to each request which seems crude but that approach does mean not navigating Shiro initialization code and so it is hopefully more stable.

The Jetty server can be configured and may be some other future feature wants HTTP sessions. It is free to add them without interference.

BTW Good thing you commented - I'd left some development code in the PR.

@afs afs merged commit 05a06f4 into apache:main Jul 7, 2026
1 check passed
@afs afs deleted the gh4033-shiro-session branch July 7, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Align packaging and cmd names of Fuseki Fuseki sessions are immortal and fill up heap

2 participants