Hello All,
I've got a strange Shiro problem I'm trying to track down where
sometimes (race condition?) a session ends up containing the
Authentication setting as true, but doesn't have a principal.
Here is what seems to be happening:
1) User accesses our system with a URL.
2) The URL contains a magic path that authenticates them and logs them
in. The Subject now is Authenticated and has a Principal.
3) The requested web page is sent to them.
4) The web page includes other pages (JavaScript, CSS, etc.). The
second request sometimes fails (accessing JavaScript) because the
Subject is now Authenticated, but doesn't have a Principal, so we can't
Authorize them.
With various break points, I can tell that the first subject is
generated correctly and seems to be saved to the session correctly. The
second subject is generated incorrectly because the session (same
session ID, I checked) does not have a Principal (even though it does
have an Authenticated value of true).
I've not had any luck figuring out what code is removing the Principal
from the session, so I'm hoping for some pointers or debugging ideas.
Setting a break point SessionDAO.upgdate(Session) has not proven helpful.
Any ideas?
Thanks!
Sincerely,
Stephen McCants
--
Stephen McCants
Senior Software Engineer
Healthcare Control Systems
1-877-877-8795 x116
