Shiro
  1. Shiro
  2. SHIRO-312

DefaultSecurityManager.setSessionManager can get out of sync with DefaultSecurityManager.setSessionMode

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 1.2.0
    • Component/s: Web
    • Labels:
      None

      Description

      So, I've run into a bit of a pickle with DefaultWebSecurityManager and
      native vs http sessions.

      The DefaultWebSecurityManager exposes two methods, ostensibly for the
      purposes of determining how sessions are managed:

      setSessionManager(SessionManager)

      and

      setSessionMode(String)

      However, it would appear that if I call:

      setSessionManager(new MyCustomSessionManager())

      and then

      setSessionMode("native")

      the SessionManager is overridden.

      This is a bit of a gotcha, but can be easily avoided by not calling
      setSessionMode. (calling them in the reverse order seems contrary to
      the nature of setters) The problem with not calling setSessionMode is
      that it appears to actually matter - if I leave it to it's default
      (http), but set a DefaultWebSessionManager, then things break horribly
      (apparently due to the use of isHttpSessionMode by AbstractShiroFilter
      for redirect rewriting). Sessions get forgotten, etc. This also seems
      contrary to the nature of setters.

      1. SessionManager_SHIRO-312_b.patch
        7 kB
        Jared Bunting
      2. SessionManager_SHIRO-312.patch
        7 kB
        Jared Bunting

        Activity

          People

          • Assignee:
            Les Hazlewood
            Reporter:
            Jared Bunting
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development