You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2016/07/05 06:54:58 UTC

[5/8] isis git commit: ISIS-1434: changes the order in which the Shiro session is invalidated, to perform before Wicket viewer completes its own invalidation.

ISIS-1434: changes the order in which the Shiro session is invalidated, to perform before Wicket viewer completes its own invalidation.

The original implementation worked on jetty but not as a war file under Tomcat.


Project: http://git-wip-us.apache.org/repos/asf/isis/repo
Commit: http://git-wip-us.apache.org/repos/asf/isis/commit/0d906485
Tree: http://git-wip-us.apache.org/repos/asf/isis/tree/0d906485
Diff: http://git-wip-us.apache.org/repos/asf/isis/diff/0d906485

Branch: refs/heads/master
Commit: 0d906485127c41771d85e15783c0869313a27eea
Parents: 2f67917
Author: Dan Haywood <da...@haywood-associates.co.uk>
Authored: Tue Jul 5 07:38:34 2016 +0100
Committer: Dan Haywood <da...@haywood-associates.co.uk>
Committed: Tue Jul 5 07:38:34 2016 +0100

----------------------------------------------------------------------
 .../wicket/AuthenticatedWebSessionForIsis.java  | 28 +++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/isis/blob/0d906485/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java
----------------------------------------------------------------------
diff --git a/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java b/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java
index 16e4454..60750f0 100644
--- a/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java
+++ b/core/viewer-wicket-impl/src/main/java/org/apache/isis/viewer/wicket/viewer/integration/wicket/AuthenticatedWebSessionForIsis.java
@@ -81,6 +81,30 @@ public class AuthenticatedWebSessionForIsis extends AuthenticatedWebSession impl
     }
 
     @Override
+    public void invalidateNow() {
+
+        // similar code in Restful Objects viewer (UserResourceServerside#logout)
+        // this needs to be done here because Wicket will expire the HTTP session
+        // while the Shiro authenticator uses the session to obtain the details of the principals for it to logout
+        //
+        //        org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1195)
+        //        org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionFacade.java:108)
+        //        org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:146)
+        //        org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
+        //        org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469)
+        //        org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153)
+        //        org.apache.shiro.mgt.DefaultSecurityManager.logout(DefaultSecurityManager.java:547)
+        //        org.apache.shiro.subject.support.DelegatingSubject.logout(DelegatingSubject.java:363)
+        //        org.apache.isis.security.shiro.ShiroAuthenticatorOrAuthorizor.logout(ShiroAuthenticatorOrAuthorizor.java:179)
+        //        org.apache.isis.core.runtime.authentication.standard.AuthenticationManagerStandard.closeSession(AuthenticationManagerStandard.java:141)
+
+        getAuthenticationManager().closeSession(authenticationSession);
+        getIsisSessionFactory().closeSession();
+
+        super.invalidateNow();
+    }
+
+    @Override
     public void onInvalidate() {
         super.onInvalidate();
 
@@ -93,10 +117,6 @@ public class AuthenticatedWebSessionForIsis extends AuthenticatedWebSession impl
             userName = authenticationSession.getUserName();
         }
 
-        // similar code in Restful Objects viewer (UserResourceServerside#logout)
-        getAuthenticationManager().closeSession(authenticationSession);
-        getIsisSessionFactory().closeSession();
-
         log(SessionLoggingService.Type.LOGOUT, userName, causedBy);
     }