[SHIRO-312] DefaultSecurityManager.setSessionManager can get out of sync with DefaultSecurityManager.setSessionMode - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.2.0
Fix Version/s: 1.2.0
Component/s: Web
Labels:
None

Description

So, I've run into a bit of a pickle with DefaultWebSecurityManager and
native vs http sessions.

The DefaultWebSecurityManager exposes two methods, ostensibly for the
purposes of determining how sessions are managed:

setSessionManager(SessionManager)

and

setSessionMode(String)

However, it would appear that if I call:

setSessionManager(new MyCustomSessionManager())

and then

setSessionMode("native")

the SessionManager is overridden.

This is a bit of a gotcha, but can be easily avoided by not calling
setSessionMode. (calling them in the reverse order seems contrary to
the nature of setters) The problem with not calling setSessionMode is
that it appears to actually matter - if I leave it to it's default
(http), but set a DefaultWebSessionManager, then things break horribly
(apparently due to the use of isHttpSessionMode by AbstractShiroFilter
for redirect rewriting). Sessions get forgotten, etc. This also seems
contrary to the nature of setters.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SessionManager_SHIRO-312.patch
20/Jul/11 03:47
7 kB
Jared Bunting
SessionManager_SHIRO-312_b.patch
22/Jul/11 18:31
7 kB
Jared Bunting

Activity

People

Assignee:: Les Hazlewood

Reporter:: Jared Bunting

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 20/Jul/11 03:27

Updated:: 24/Jan/12 01:11

Resolved:: 16/Sep/11 14:54