[
https://issues.apache.org/jira/browse/ISIS-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin Grigorov resolved ISIS-1018.
-----------------------------------
Resolution: Fixed
Fix Version/s: viewer-wicket-1.8.0
> Do not allow http session replacement in Wicket because Shiro knowledge
> becomes outdated
> ----------------------------------------------------------------------------------------
>
> Key: ISIS-1018
> URL: https://issues.apache.org/jira/browse/ISIS-1018
> Project: Isis
> Issue Type: Improvement
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.7.0
> Reporter: Martin Grigorov
> Assignee: Martin Grigorov
> Fix For: viewer-wicket-1.8.0
>
>
> While testing Wicket 6.19.0 with Isis I've found that most menu items were
> not displayed.
> The reason was that since http://issues.apache.org/jira/browse/WICKET-5775
> Wicket(-auth-roles) replaces the http session after successful login to
> prevent session fixation attacks.
> This leads to problems with Shiro authorizations later because Shiro is not
> notified about the replacement and keeps using the old http session data.
> https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301
> suggests how to do session replacement with Shiro.
> With session replacement with Shiro or without any replacement I suggest to
> make Wicket's Session#replaceSession() a no-op method to avoid any similar
> problems in the future.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
