[jira] [Updated] (SHIRO-661) Add check for the principal of subject whether is null

Sun, 27 Jan 2019 21:34:41 -0800 


     [ 
https://issues.apache.org/jira/browse/SHIRO-661?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Francois Papon updated SHIRO-661:
---------------------------------
    Description: 
When session is based on servlet container(such as tomcat),if the subject is 
authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and 
{{PRINCIPALS_SESSION_KEY}}。
 When servlet container closed, it may will be persist session.
 But if the principal can not be serializable, it will not be persisted; when 
server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info 
,the {{PRINCIPALS_SESSION_KEY}} will be lost,
 it means the subject is authenticated, but the subject does not has 
principal。If the user code is
{code:java}
User u = subject.getPrincipal(); // because the u if null, it will be npe 
u.getName();{code}
 

  was:
When session is based on servlet container(such as tomcat),if the subject is 
authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and 
{{PRINCIPALS_SESSION_KEY}}。
 When servlet container closed, it may will be persist session.
 But if the principal can not be serializable, it will not be persisted; when 
server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info 
,the {{PRINCIPALS_SESSION_KEY}} will be lost,
 it means the subject is authenticated, but the subject does not has 
principal。If the user code is
{code:java}
User u = subject.getPrincipal(); // because the u if null, it will be npe 
u.getName();{code}
 


> Add check for the principal of subject whether is null
> ------------------------------------------------------
>
>                 Key: SHIRO-661
>                 URL: https://issues.apache.org/jira/browse/SHIRO-661
>             Project: Shiro
>          Issue Type: Bug
>          Components: Web
>            Reporter: Francois Papon
>            Assignee: Francois Papon
>            Priority: Major
>             Fix For: 1.4.1
>
>
> When session is based on servlet container(such as tomcat),if the subject is 
> authenticated,the session will contains {{AUTHENTICATED_SESSION_KEY}} and 
> {{PRINCIPALS_SESSION_KEY}}。
>  When servlet container closed, it may will be persist session.
>  But if the principal can not be serializable, it will not be persisted; when 
> server restart, session will only contains {{AUTHENTICATED_SESSION_KEY}} info 
> ,the {{PRINCIPALS_SESSION_KEY}} will be lost,
>  it means the subject is authenticated, but the subject does not has 
> principal。If the user code is
> {code:java}
> User u = subject.getPrincipal(); // because the u if null, it will be npe 
> u.getName();{code}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to