shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Les Hazlewood (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-355) Concurrency issue with the runAs principles stored in the Session object
Date Thu, 05 Apr 2012 18:34:25 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13247482#comment-13247482
] 

Les Hazlewood commented on SHIRO-355:
-------------------------------------

While we should support pluggable RunAs storage mechanisms regardless, what makes you think
there was a concurrency issue?  

Session attribute visibility across requests is important for any request, regardless of whether
the session attribute is a runAs collection or not.

What was the 'concurrency issue' exactly?  

                
> Concurrency issue with the runAs principles stored in the Session object
> ------------------------------------------------------------------------
>
>                 Key: SHIRO-355
>                 URL: https://issues.apache.org/jira/browse/SHIRO-355
>             Project: Shiro
>          Issue Type: Bug
>          Components: Subject
>    Affects Versions: 1.2.0
>            Reporter: Marinus Geuze
>            Priority: Minor
>         Attachments: Subject.java
>
>
> Hi,
> I am using the runAs functionality of Shiro. However I think that there is a design flaw
in the implementation. Because the runAs principles are stored in the Session object. However
when a user does a second request to the server, while the first request to the server is
still running, then there is a concurrency issue with the stored runAs principles.
> This issue caused problems in our application which used JSF2.0 frontend.
> Therefore I have overridden the default behavior of the org.apache.shiro.subject.Subject
class, by implementing our own Subject class. This class stores the runAs principles in the
servletRequest object.  The concurrency issue is thereby fixed. See mine implementation in
the attachment.
> Am I right that the current session implementation is incorrect? If so, please fix this
bug. If not, is it an idea to make this a configuration choice in Shiro by using a storeRunAsPrinciplesInSession
or storeRunAsPrincipleInServletRequest indicator?
> Greets,
> Marinus

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message