[ https://issues.apache.org/jira/browse/WICKET-5775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14295884#comment-14295884 ]
Martin Grigorov edited comment on WICKET-5775 at 1/29/15 7:55 AM: ------------------------------------------------------------------ This change seems to break applications which use Apache Shiro for authen/authorization :-/ After replacing the session Shiro continues to use the old http session and any roles/permissions checks fail. Probably the solution is: - apply the suggested solution at https://issues.apache.org/jira/browse/SHIRO-170 to the application code where Shiro Subject#login(token) is called - override Wicket's Session#replaceSession() to do nothing, because Shiro handles this was (Author: mgrigorov): This change seems to break applications which use Apache Shiro for authen/authorization :-/ After replacing the session Shiro continues to use the old http session and any roles/permissions checks fail. Workaround is to override Wicket's Session#replaceSession() to do nothing. > Replace the session upon successful signin for better support for Session > Fixation > ---------------------------------------------------------------------------------- > > Key: WICKET-5775 > URL: https://issues.apache.org/jira/browse/WICKET-5775 > Project: Wicket > Issue Type: Improvement > Components: wicket-auth-roles > Affects Versions: 6.18.0, 7.0.0-M4 > Reporter: Martin Grigorov > Assignee: Martin Grigorov > Priority: Minor > Fix For: 7.0.0-M5, 6.19.0 > > > See http://markmail.org/message/twbipkcmc5v6rto7: > -------------------------------- > Hi all, > during implementing the login a my current project I came across > WICKET-1767[1] which deals with session fixation problems, but to my > surprise it looks like the newly created method is not called > automatically by Wicket. If I search the code base for > "replaceSession(" I only get one result, the method itself. > Is there any reason why Wicket doesn't call the method automatically? > Looks to me like AuthenticatedWebSession.signIn would be a good place > to call it automatically. When should I call it instead, at the > beginning of AuthenticatedWebSession.authenticate? This would prevent > session fixation even if exception got throw during the authentication > itself for any reason. -- This message was sent by Atlassian JIRA (v6.3.4#6332)