You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2012/07/24 23:41:34 UTC

[jira] [Updated] (SHIRO-355) Provide runAs storage options (not just session).

     [ https://issues.apache.org/jira/browse/SHIRO-355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood updated SHIRO-355:
--------------------------------

    Issue Type: Improvement  (was: Bug)
       Summary: Provide runAs storage options (not just session).  (was: Concurrency issue with the runAs principles stored in the Session object)
    
> Provide runAs storage options (not just session).
> -------------------------------------------------
>
>                 Key: SHIRO-355
>                 URL: https://issues.apache.org/jira/browse/SHIRO-355
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Subject
>    Affects Versions: 1.2.0
>            Reporter: Marinus Geuze
>            Priority: Minor
>         Attachments: Subject.java
>
>
> Hi,
> I am using the runAs functionality of Shiro. However I think that there is a design flaw in the implementation. Because the runAs principles are stored in the Session object. However when a user does a second request to the server, while the first request to the server is still running, then there is a concurrency issue with the stored runAs principles.
> This issue caused problems in our application which used JSF2.0 frontend.
> Therefore I have overridden the default behavior of the org.apache.shiro.subject.Subject class, by implementing our own Subject class. This class stores the runAs principles in the servletRequest object.  The concurrency issue is thereby fixed. See mine implementation in the attachment.
> Am I right that the current session implementation is incorrect? If so, please fix this bug. If not, is it an idea to make this a configuration choice in Shiro by using a storeRunAsPrinciplesInSession or storeRunAsPrincipleInServletRequest indicator?
> Greets,
> Marinus

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira