Martin Grigorov created ISIS-1018:
-------------------------------------
Summary: Do not allow http session replacement in Wicket because
Shiro knowledge becomes outdated
Key: ISIS-1018
URL: https://issues.apache.org/jira/browse/ISIS-1018
Project: Isis
Issue Type: Improvement
Components: Viewer: Wicket
Affects Versions: viewer-wicket-1.7.0
Reporter: Martin Grigorov
Assignee: Martin Grigorov
While testing Wicket 6.19.0 with Isis I've found that most menu items were not
displayed.
The reason was that since http://issues.apache.org/jira/browse/WICKET-5775
Wicket(-auth-roles) replaces the http session after successful login to prevent
session fixation attacks.
This leads to problems with Shiro authorizations later because Shiro is not
notified about the replacement and keeps using the old http session data.
https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301
suggests how to do session replacement with Shiro.
With session replacement with Shiro or without any replacement I suggest to
make Wicket's Session#replaceSession() a no-op method to avoid any similar
problems in the future.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
