You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by bm...@apache.org on 2021/08/18 11:05:51 UTC
[shiro] branch main updated: [SHIRO-678] only query parameters for
sessionID if found
This is an automated email from the ASF dual-hosted git repository.
bmarwell pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/shiro.git
The following commit(s) were added to refs/heads/main by this push:
new 3077275 [SHIRO-678] only query parameters for sessionID if found
new 41fb3ac Merge pull request #317 from bmarwell/SHIRO-678
3077275 is described below
commit 3077275d227a45a606aecc77d28007d339c57cb6
Author: Benjamin Marwell <bm...@apache.org>
AuthorDate: Thu Aug 12 08:46:40 2021 +0200
[SHIRO-678] only query parameters for sessionID if found
- getParameters() will also parse the body, which in turn decodes the content.
avoid calling this method unless we know the sessionID can be in the query part.
- getQueryString() can return null.
- refactor out one level of nesting
---
.../apache/shiro/web/session/mgt/DefaultWebSessionManager.java | 10 +++++++---
.../shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy | 5 +++--
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
index 9aa275a..4fd6a4e 100644
--- a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
+++ b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
@@ -130,11 +130,15 @@ public class DefaultWebSessionManager extends DefaultSessionManager implements W
//try the URI path segment parameters first:
id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
- if (id == null) {
+ if (id == null && request instanceof HttpServletRequest) {
//not a URI path segment parameter, try the query parameters:
String name = getSessionIdName();
- id = request.getParameter(name);
- if (id == null) {
+ HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
+ String queryString = httpServletRequest.getQueryString();
+ if (queryString != null && queryString.contains(name)) {
+ id = request.getParameter(name);
+ }
+ if (id == null && queryString != null && queryString.contains(name.toLowerCase())) {
//try lowercase:
id = request.getParameter(name.toLowerCase());
}
diff --git a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
index 35b3120..44a1449 100644
--- a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
+++ b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
@@ -158,6 +158,7 @@ public class DefaultWebSessionManagerTest {
expect(cookie.getName()).andReturn(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
expect(request.getRequestURI()).andReturn("/foo/bar?JSESSIONID=$id" as String)
+ expect(request.getQueryString()).andReturn("JSESSIONID=$id" as String)
expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)).andReturn(id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);
@@ -193,8 +194,8 @@ public class DefaultWebSessionManagerTest {
String id = "12345";
expect(cookie.getName()).andReturn(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
- expect(request.getRequestURI()).andReturn("/foo/bar?JSESSIONID=$id" as String)
- expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)).andReturn(null);
+ expect(request.getRequestURI()).andReturn("/foo/bar?jsessionid=$id" as String)
+ expect(request.getQueryString()).andReturn("jsessionid=$id" as String)
expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME.toLowerCase())).andReturn(id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);