Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6242

Weak concurrency management in AuthenticatedWebSession#signedIn

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 8.0.0-M1, 7.4.0
    • 8.0.0-M2, 7.5.0
    • wicket-auth-roles
    • None

    Description

      Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz

      Currently [1] uses a volatile boolean "signedIn" to control the state.
      org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
      tries to make use of it.
      IMO this implementation is a bit weak. There are big windows this state to
      change in the meantime.

      Usually this shouldn't be a big problem, the application will authenticate
      the same user twice.
      But if the application does something in ISessionListener#onBind() then it
      becomes a problem [2].

      1.
      https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
      2. https://issues.apache.org/jira/browse/ISIS-1481

      Attachments

        Issue Links

          Activity

            People

              mgrigorov Martin Tzvetanov Grigorov
              mgrigorov Martin Tzvetanov Grigorov
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: