[
https://issues.apache.org/jira/browse/ISIS-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14296558#comment-14296558
]
ASF subversion and git services commented on ISIS-1018:
-------------------------------------------------------
Commit 8c13404ec166e666ef905c81f32480931e414dbc in isis's branch
refs/heads/master from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=8c13404 ]
ISIS-1018 Do not allow http session replacement in Wicket because Shiro
knowledge becomes outdated
> Do not allow http session replacement in Wicket because Shiro knowledge
> becomes outdated
> ----------------------------------------------------------------------------------------
>
> Key: ISIS-1018
> URL: https://issues.apache.org/jira/browse/ISIS-1018
> Project: Isis
> Issue Type: Improvement
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.7.0
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Fix For: viewer-wicket-1.8.0
>
>
> While testing Wicket 6.19.0 with Isis I've found that most menu items were
> not displayed.
> The reason was that since http://issues.apache.org/jira/browse/WICKET-5775
> Wicket(-auth-roles) replaces the http session after successful login to
> prevent session fixation attacks.
> This leads to problems with Shiro authorizations later because Shiro is not
> notified about the replacement and keeps using the old http session data.
> https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301
> suggests how to do session replacement with Shiro.
> With session replacement with Shiro or without any replacement I suggest to
> make Wicket's Session#replaceSession() a no-op method to avoid any similar
> problems in the future.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
