[
https://issues.apache.org/jira/browse/WICKET-6530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352364#comment-16352364
]
ASF GitHub Bot commented on WICKET-6530:
----------------------------------------
GitHub user papegaaij opened a pull request:
https://github.com/apache/wicket/pull/266
WICKET-6530: fix possible race-condition for session invalidation
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/papegaaij/wicket WICKET-6530
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/wicket/pull/266.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #266
----
commit e7109db9d446dc8fcf65eb0d91d840c13afdfc4c
Author: Emond Papegaaij <papegaaij@...>
Date: 2018-02-05T13:10:21Z
WICKET-6530: fix possible race-condition for session invalidation
----
> Race-condition in session invalidation
> --------------------------------------
>
> Key: WICKET-6530
> URL: https://issues.apache.org/jira/browse/WICKET-6530
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 7.9.0, 8.0.0-M8
> Reporter: Emond Papegaaij
> Priority: Major
>
> Session.invalidate sets a boolean on the session that invalidation is
> required on detach. However, this boolean can be read by several requests,
> triggering multiple invalidations. A HTTP session can only be invalidated
> once, every subsequent call will trigger an IllegalStateException:
> {code:java}
> Caused by: java.lang.IllegalStateException: UT000021: Session already
> invalidated
> at
> io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:543)
> at
> io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
> at
> io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
> at
> org.apache.wicket.session.HttpSessionStore.invalidate(HttpSessionStore.java:188)
> at org.apache.wicket.Session.destroy(Session.java:493)
> at org.apache.wicket.Session.invalidateNow(Session.java:508)
> at
> org.wicketstuff.security.WaspSession.invalidateNow(WaspSession.java:117)
> at org.apache.wicket.Session.detach(Session.java:655)
> at org.wicketstuff.security.WaspSession.detach(WaspSession.java:129)
> at
> org.apache.wicket.request.cycle.RequestCycle.onDetach(RequestCycle.java:654)
> at
> org.apache.wicket.request.cycle.RequestCycle.detach(RequestCycle.java:594)
> at
> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:297)
> at
> org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
> at
> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
> at
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ... 55 more
> {code}
> I propose to set the boolean in request metadata. I'll submit a PR later
> today to demonstrate this solution.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
