Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-1018

Do not allow http session replacement in Wicket because Shiro knowledge becomes outdated

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: viewer-wicket-1.7.0
    • Fix Version/s: core-1.8.0
    • Component/s: Core: Viewer: Wicket
    • Labels:
      None

      Description

      While testing Wicket 6.19.0 with Isis I've found that most menu items were not displayed.
      The reason was that since http://issues.apache.org/jira/browse/WICKET-5775 Wicket(-auth-roles) replaces the http session after successful login to prevent session fixation attacks.
      This leads to problems with Shiro authorizations later because Shiro is not notified about the replacement and keeps using the old http session data.

      https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301 suggests how to do session replacement with Shiro.

      With session replacement with Shiro or without any replacement I suggest to make Wicket's Session#replaceSession() a no-op method to avoid any similar problems in the future.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mgrigorov Martin Grigorov
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: