[CAUSEWAY-1018] Do not allow http session replacement in Wicket because Shiro knowledge becomes outdated - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: viewer-wicket-1.7.0
Fix Version/s: core-1.8.0
Component/s: Viewer Wicket
Labels:
None

Description

While testing Wicket 6.19.0 with Isis I've found that most menu items were not displayed.
The reason was that since http://issues.apache.org/jira/browse/WICKET-5775 Wicket(-auth-roles) replaces the http session after successful login to prevent session fixation attacks.
This leads to problems with Shiro authorizations later because Shiro is not notified about the replacement and keeps using the old http session data.

https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301 suggests how to do session replacement with Shiro.

With session replacement with Shiro or without any replacement I suggest to make Wicket's Session#replaceSession() a no-op method to avoid any similar problems in the future.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Martin Tzvetanov Grigorov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/Jan/15 08:09

Updated:: 23/Feb/15 22:16

Resolved:: 29/Jan/15 08:11