You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@shiro.apache.org by GitBox <gi...@apache.org> on 2022/10/12 12:32:03 UTC

[GitHub] [shiro] adamenveil commented on a diff in pull request #372: [SHIRO-512] catch SessionException in getRunAsPrincipalsStack

adamenveil commented on code in PR #372:
URL: https://github.com/apache/shiro/pull/372#discussion_r993395430


##########
core/src/main/java/org/apache/shiro/subject/support/DelegatingSubject.java:
##########
@@ -471,7 +471,16 @@ public PrincipalCollection releaseRunAs() {
     private List<PrincipalCollection> getRunAsPrincipalsStack() {
         Session session = getSession(false);
         if (session != null) {
-            return (List<PrincipalCollection>) session.getAttribute(RUN_AS_PRINCIPALS_SESSION_KEY);
+            try {
+                return (List<PrincipalCollection>) session.getAttribute(RUN_AS_PRINCIPALS_SESSION_KEY);
+            } catch (SessionException se) {
+                // There could be a rare race condition when a session is invalidated in another thread,
+                // this thread could throw this exception, so we catch it
+                // similar issue as in clearRunAsIdentitiesInternal()
+                // See https://issues.apache.org/jira/browse/SHIRO-512
+                log.debug("Encountered session exception trying to get 'runAs' principal stack.  This "

Review Comment:
   I'm not trying to be rude, I'm legitimately trying to understand, how is this safe to ignore? This appears to be the reason one of my unit tests is failing now after bumping Shiro up to `1.10.0`
   
   So if Thread_1 invalidates the subject, then Thread_2 attempts to get the session, this block here would originally throw an exception to Thread_2 informing that the session has been invalidated. But now Thread_2 will catch and just log the exception instead. This would essentially let Thread_2 believe the subject is still authenticated, when the session should actually be invalidated. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@shiro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org