Yes, it worked. Thank you. I've created the PR with my fix proposition. niedz., 17 paź 2021 o 12:07 Dmitriy Kopylenko <[email protected]> napisał(a):
> Hi. > > You should be able to fork this repository on GitHub to your account, push > changes there and create pull requests from your remote fork. > > Hope this helps. > > D. > > On Sun, Oct 17, 2021 at 04:12 Krzysztof Ślusarski <[email protected]> > wrote: > >> The class org.jasig.cas.client.session.HashMapBackedSessionMappingStorage >> contains 2 maps: >> >> private final Map<String, HttpSession> MANAGED_SESSIONS = new >> HashMap<String, HttpSession>(); >> private final Map<String, String> ID_TO_SESSION_KEY_MAPPING = new >> HashMap<String, String>(); >> >> There is a part of CAS client, that listens on server events and clears >> that storage on session destroy. That code is >> in org.jasig.cas.client.session.SingleSignOutHttpSessionListener. The >> problem is that the public API of the javax.servlet.http.HttpServletRequest >> has a method (from servlet v3.1): >> >> String changeSessionId(); >> >> That method doesn't destroy a session, but changes its id. This type of >> action doesn't affect the maps in the HashMapBackedSessionMappingStorage. >> It causes memory leak, because session with changed id cannot be removed >> from the storage. Changing session id is the default of Spring >> implementation of session fixation, so the problem may be popular in the >> future. The default is implemented >> in >> org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy >> and is created as default >> in >> org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#createDefaultSessionFixationProtectionStrategy. >> >> Possible fix: implement listener that implements >> javax.servlet.http.HttpSessionIdListener that manipulates the maps >> in HashMapBackedSessionMappingStorage. I've implemented this, but I cannot >> push my branch into https://github.com/apereo/java-cas-client: >> ERROR: Permission to apereo/java-cas-client.git denied to >> krzysztofslusarski. >> fatal: Could not read from remote repository. >> Please make sure you have the correct access rights >> and the repository exists. >> >> Can I get right to perform push and do a pull request? >> >> Best regards, >> Krzysztof Ślusarski >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Developer" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CACjVSqEk5sTLLFhVXL8K7%3Dkb-cYJnnWYv%3D%2B5j6Q6U01yFS4msg%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CACjVSqEk5sTLLFhVXL8K7%3Dkb-cYJnnWYv%3D%2B5j6Q6U01yFS4msg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CACjVSqG5%2BwQPU7SgUKZ_cpG26BKyhcjygFRhLn3c4CJzZMGmYw%40mail.gmail.com.
