[jira] [Commented] (SHIRO-355) Concurrency issue with the runAs principles stored in the Session object

Tue, 24 Jul 2012 14:41:36 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13421787#comment-13421787
 ] 

Les Hazlewood commented on SHIRO-355:
-------------------------------------

Based on this comment, you do not want runAs principles stored in the Session 
because of the inherent concurrency issues with Sessions - this is not a 
concurrency issue with Shiro however (this issue will show in any session use 
case).  The design currently in place is for the 80% of the 80/20 rule.

That being said, it would be nice to support runAs storage options.  Because of 
this, I'm changing this issue to a feature request, not a bug.
                
> Concurrency issue with the runAs principles stored in the Session object
> ------------------------------------------------------------------------
>
>                 Key: SHIRO-355
>                 URL: https://issues.apache.org/jira/browse/SHIRO-355
>             Project: Shiro
>          Issue Type: Bug
>          Components: Subject
>    Affects Versions: 1.2.0
>            Reporter: Marinus Geuze
>            Priority: Minor
>         Attachments: Subject.java
>
>
> Hi,
> I am using the runAs functionality of Shiro. However I think that there is a 
> design flaw in the implementation. Because the runAs principles are stored in 
> the Session object. However when a user does a second request to the server, 
> while the first request to the server is still running, then there is a 
> concurrency issue with the stored runAs principles.
> This issue caused problems in our application which used JSF2.0 frontend.
> Therefore I have overridden the default behavior of the 
> org.apache.shiro.subject.Subject class, by implementing our own Subject 
> class. This class stores the runAs principles in the servletRequest object.  
> The concurrency issue is thereby fixed. See mine implementation in the 
> attachment.
> Am I right that the current session implementation is incorrect? If so, 
> please fix this bug. If not, is it an idea to make this a configuration 
> choice in Shiro by using a storeRunAsPrinciplesInSession or 
> storeRunAsPrincipleInServletRequest indicator?
> Greets,
> Marinus

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to