[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15504418#comment-15504418 ]
ASF subversion and git services commented on WICKET-6242: --------------------------------------------------------- Commit d5425534a568d0cc0d4c6749a8965af69f107b8e in wicket's branch refs/heads/wicket-7.x from [~mgrigorov] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=d542553 ] WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn Unset signedIn to 'false' only if the authenticated has failed. > Weak concurrency management in AuthenticatedWebSession#signedIn > --------------------------------------------------------------- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles > Affects Versions: 8.0.0-M1, 7.4.0 > Reporter: Martin Grigorov > Assignee: Martin Grigorov > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)