You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Francois Papon (JIRA)" <ji...@apache.org> on 2019/01/28 05:33:00 UTC

[jira] [Updated] (SHIRO-661) Add check for the principal of subject whether is null

     [ https://issues.apache.org/jira/browse/SHIRO-661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Francois Papon updated SHIRO-661:
---------------------------------
    Description: 
When session is based on servlet container(such as tomcat),if the subject is authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and {{PRINCIPALS_SESSION_KEY}}。
 When servlet container closed, it may will be persist session.
 But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
 it means the subject is authenticated, but the subject does not has principal。If the user code is

 

{{User u = subject.getPrincipal(); // because the u if null, it will be npe u.getName(); }}

 

  was:
When session is based on servlet container(such as tomcat),if the subject is authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and {{PRINCIPALS_SESSION_KEY}}。
 When servlet container closed, it may will be persist session.
 But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
 it means the subject is authenticated, but the subject does not has principal。If the user code is

 

{{// code placeholder}}

 


> Add check for the principal of subject whether is null
> ------------------------------------------------------
>
>                 Key: SHIRO-661
>                 URL: https://issues.apache.org/jira/browse/SHIRO-661
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>            Reporter: Francois Papon
>            Assignee: Francois Papon
>            Priority: Major
>             Fix For: 1.4.1
>
>
> When session is based on servlet container(such as tomcat),if the subject is authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and {{PRINCIPALS_SESSION_KEY}}。
>  When servlet container closed, it may will be persist session.
>  But if the principal can not be serializable, it will not be persisted; when server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
>  it means the subject is authenticated, but the subject does not has principal。If the user code is
>  
> {{User u = subject.getPrincipal(); // because the u if null, it will be npe u.getName(); }}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)