Concurrency issue with the runAs principles stored in the Session object
------------------------------------------------------------------------
Key: SHIRO-355
URL: https://issues.apache.org/jira/browse/SHIRO-355
Project: Shiro
Issue Type: Bug
Components: Subject
Affects Versions: 1.2.0
Reporter: Marinus Geuze
Priority: Minor
Hi,
I am using the runAs functionality of Shiro. However I think that there is a
design flaw in the implementation. Because the runAs principles are stored in
the Session object. However when a user does a second request to the server,
while the first request to the server is still running, then there is a
concurrency issue with the stored runAs principles.
This issue caused problems in our application which used JSF2.0 frontend.
Therefore I have overridden the default behavior of the
org.apache.shiro.subject.Subject class, by implementing our own Subject class.
This class stores the runAs principles in the servletRequest object. The
concurrency issue is thereby fixed. See mine implementation in the attachment.
Am I right that the current session implementation is incorrect? If so, please
fix this bug. If not, is it an idea to make this a configuration choice in
Shiro by using a storeRunAsPrinciplesInSession or
storeRunAsPrincipleInServletRequest indicator?
Greets,
Marinus
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
