You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2015/01/29 09:11:35 UTC
[jira] [Resolved] (ISIS-1018) Do not allow http session replacement
in Wicket because Shiro knowledge becomes outdated
[ https://issues.apache.org/jira/browse/ISIS-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved ISIS-1018.
-----------------------------------
Resolution: Fixed
Fix Version/s: viewer-wicket-1.8.0
> Do not allow http session replacement in Wicket because Shiro knowledge becomes outdated
> ----------------------------------------------------------------------------------------
>
> Key: ISIS-1018
> URL: https://issues.apache.org/jira/browse/ISIS-1018
> Project: Isis
> Issue Type: Improvement
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.7.0
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Fix For: viewer-wicket-1.8.0
>
>
> While testing Wicket 6.19.0 with Isis I've found that most menu items were not displayed.
> The reason was that since http://issues.apache.org/jira/browse/WICKET-5775 Wicket(-auth-roles) replaces the http session after successful login to prevent session fixation attacks.
> This leads to problems with Shiro authorizations later because Shiro is not notified about the replacement and keeps using the old http session data.
> https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301 suggests how to do session replacement with Shiro.
> With session replacement with Shiro or without any replacement I suggest to make Wicket's Session#replaceSession() a no-op method to avoid any similar problems in the future.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)