Martin Grigorov created WICKET-6242:
---------------------------------------

             Summary: Weak concurrency management in 
AuthenticatedWebSession#signedIn
                 Key: WICKET-6242
                 URL: https://issues.apache.org/jira/browse/WICKET-6242
             Project: Wicket
          Issue Type: Bug
          Components: wicket-auth-roles
    Affects Versions: 7.4.0, 8.0.0-M1
            Reporter: Martin Grigorov
            Assignee: Martin Grigorov


Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz

Currently [1] uses a volatile boolean "signedIn" to control the state.
org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
tries to make use of it.
IMO this implementation is a bit weak. There are big windows this state to
change in the meantime.

Usually this shouldn't be a big problem, the application will authenticate
the same user twice.
But if the application does something in ISessionListener#onBind() then it
becomes a problem [2].

1.
https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to