Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-1018

Do not allow http session replacement in Wicket because Shiro knowledge becomes outdated

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: viewer-wicket-1.7.0
    • Fix Version/s: core-1.8.0
    • Component/s: Isis Viewer Wicket
    • Labels:
      None

      Description

      While testing Wicket 6.19.0 with Isis I've found that most menu items were not displayed.
      The reason was that since http://issues.apache.org/jira/browse/WICKET-5775 Wicket(-auth-roles) replaces the http session after successful login to prevent session fixation attacks.
      This leads to problems with Shiro authorizations later because Shiro is not notified about the replacement and keeps using the old http session data.

      https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301 suggests how to do session replacement with Shiro.

      With session replacement with Shiro or without any replacement I suggest to make Wicket's Session#replaceSession() a no-op method to avoid any similar problems in the future.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mgrigorov Martin Tzvetanov Grigorov

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment