You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Pierre-Alexandre Meyer (JIRA)" <ji...@apache.org> on 2014/08/12 23:52:12 UTC
[jira] [Commented] (SHIRO-510) java.lang.StackOverflowError in
shiro
[ https://issues.apache.org/jira/browse/SHIRO-510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094753#comment-14094753 ]
Pierre-Alexandre Meyer commented on SHIRO-510:
----------------------------------------------
It looks like DelegatingSubject.login(AuthenticationToken token) eventually creates a new instance of WebDelegatingSubject (DefaultWebSubjectFactory.createSubject(SubjectContext context)).
If an existing session exists, the constructor of the parent DelegatingSubject decorates the session instance and always wraps it into a StoppingAwareProxiedSession, even if the session is already wrapped.
This can be demonstrated by the following code:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.subject.Subject;
public class TestSHIRO_510 {
public static void main(String[] args) {
final IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:shiro.ini");
org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
final Subject currentUser = SecurityUtils.getSubject();
while (true) {
currentUser.login(new UsernamePasswordToken("root", "secret"));
}
}
}
Rapidly, the session is wrapped around hundreds of instances of StoppingAwareProxiedSession.
Is it expected? Is the code above illegal and should one always call isAuthenticated() before login()?
> java.lang.StackOverflowError in shiro
> -------------------------------------
>
> Key: SHIRO-510
> URL: https://issues.apache.org/jira/browse/SHIRO-510
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.2.2
> Environment: Linux, ubuntu, apache tomcat-8
> Reporter: Kill Bill
>
> 326293 > POST http://killbill-uat2.snc1:8080/1.0/kb/payments/a3bb531b-9ab7-4e9b-8a71-602dfbf4680d?pluginProperty=TEST_MODE%3DCONTROL
> 326293 > accept: application/json
> 326293 > user-agent: killbill/0.7.3; ruby 2.1.1p76 (2014-02-24 revision 45161) [x86_64-linux]
> 326293 > accept-encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
> 326293 > authorization: Basic YWRtaW46cGFzc3dvcmQ=
> 326293 > content-type: application/json
> 326293 > x-killbill-createdby: AuthCapture
> 326293 > host: killbill-uat2.snc1:8080
> 326293 > content-length: 129
> 326293 >
> 2014-08-05 00:52:49,854 [catalina-exec-11] ERROR c.s.j.s.container.ContainerResponse - The exception contained within MappableContainerException could not be mapped to a response, re-throwing to the HTTP container
> java.lang.StackOverflowError: null
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
> at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[ProxiedSession.class:1.2.2]
--
This message was sent by Atlassian JIRA
(v6.2#6252)