[
https://issues.apache.org/jira/browse/SHIRO-355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13248124#comment-13248124
]
Marinus Geuze commented on SHIRO-355:
-------------------------------------
Let’s say you have functionality like this. A button on a UI (ajax style
processing) which starts function A. Function A starts function B which uses
the RunAs mechanism. Function B does a webservice call which takes 1 minute to
process. NOTE: this is just an example
User pushed button and the RunAs priniciple is set in session when executing
function B. Function B does the webservice call and is busy for 1 minute.
The user gets inpatient and pushes the button again. Function A and B are
executed for a second time while the first execution is still running. This
time Function A will be executed with the RunAs user because de RunAs
principles are stored in the session.
This is what I mean with the concurrency issue. By storing the RunAs principles
on the request object, you do not have this problem.
> Concurrency issue with the runAs principles stored in the Session object
> ------------------------------------------------------------------------
>
> Key: SHIRO-355
> URL: https://issues.apache.org/jira/browse/SHIRO-355
> Project: Shiro
> Issue Type: Bug
> Components: Subject
> Affects Versions: 1.2.0
> Reporter: Marinus Geuze
> Priority: Minor
> Attachments: Subject.java
>
>
> Hi,
> I am using the runAs functionality of Shiro. However I think that there is a
> design flaw in the implementation. Because the runAs principles are stored in
> the Session object. However when a user does a second request to the server,
> while the first request to the server is still running, then there is a
> concurrency issue with the stored runAs principles.
> This issue caused problems in our application which used JSF2.0 frontend.
> Therefore I have overridden the default behavior of the
> org.apache.shiro.subject.Subject class, by implementing our own Subject
> class. This class stores the runAs principles in the servletRequest object.
> The concurrency issue is thereby fixed. See mine implementation in the
> attachment.
> Am I right that the current session implementation is incorrect? If so,
> please fix this bug. If not, is it an idea to make this a configuration
> choice in Shiro by using a storeRunAsPrinciplesInSession or
> storeRunAsPrincipleInServletRequest indicator?
> Greets,
> Marinus
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
