You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Francois Papon (JIRA)" <ji...@apache.org> on 2019/01/28 05:33:00 UTC
[jira] [Updated] (SHIRO-661) Add check for the principal of subject
whether is null
[ https://issues.apache.org/jira/browse/SHIRO-661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francois Papon updated SHIRO-661:
---------------------------------
Description:
When session is based on servlet container(such as tomcat),if the subject is authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and {{PRINCIPALS_SESSION_KEY}}。
When servlet container closed, it may will be persist session.
But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
it means the subject is authenticated, but the subject does not has principal。If the user code is
{{User u = subject.getPrincipal(); // because the u if null, it will be npe u.getName(); }}
was:
When session is based on servlet container(such as tomcat),if the subject is authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and {{PRINCIPALS_SESSION_KEY}}。
When servlet container closed, it may will be persist session.
But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
it means the subject is authenticated, but the subject does not has principal。If the user code is
{{// code placeholder}}
> Add check for the principal of subject whether is null
> ------------------------------------------------------
>
> Key: SHIRO-661
> URL: https://issues.apache.org/jira/browse/SHIRO-661
> Project: Shiro
> Issue Type: Bug
> Components: Web
> Reporter: Francois Papon
> Assignee: Francois Papon
> Priority: Major
> Fix For: 1.4.1
>
>
> When session is based on servlet container(such as tomcat),if the subject is authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and {{PRINCIPALS_SESSION_KEY}}。
> When servlet container closed, it may will be persist session.
> But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
> it means the subject is authenticated, but the subject does not has principal。If the user code is
>
> {{User u = subject.getPrincipal(); // because the u if null, it will be npe u.getName(); }}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)