[jira] [Created] (SHIRO-546) DefaultWebSessionManager onStart might produce nullPointer Exception

Wed, 07 Oct 2015 10:47:50 -0700 

Ariel Isaac created SHIRO-546:
---------------------------------

             Summary: DefaultWebSessionManager onStart might produce 
nullPointer Exception
                 Key: SHIRO-546
                 URL: https://issues.apache.org/jira/browse/SHIRO-546
             Project: Shiro
          Issue Type: Bug
          Components: Session Management
    Affects Versions: 1.2.4
            Reporter: Ariel Isaac
             Fix For: 1.3.0, 2.0.0, 1.2.5


DefaultWebSessionManager#onStart() when you get the HttpServletRequest it might 
be null a throw a null pointer exception so it might need a little validation 

from
{code}   @Override
    protected void onStart(Session session, SessionContext context) {
        super.onStart(session, context);

        if (!WebUtils.isHttp(context)) {
            log.debug("SessionContext argument is not HTTP compatible or does 
not have an HTTP request/response " +
                    "pair. No session ID cookie will be set.");
            return;

        }
        HttpServletRequest request = WebUtils.getHttpRequest(context);
        HttpServletResponse response = WebUtils.getHttpResponse(context);

        if (isSessionIdCookieEnabled()) {
            Serializable sessionId = session.getId();
            storeSessionId(sessionId, request, response);
        } else {
            log.debug("Session ID cookie is disabled.  No cookie has been set 
for new session with id {}", session.getId());
        }

        
request.removeAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE);
        request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_IS_NEW, 
Boolean.TRUE);
    }{code}

to 
{code}    @Override
    protected void onStart(Session session, SessionContext context) {
        super.onStart(session, context);

        if (!WebUtils.isHttp(context)) {
            log.debug("SessionContext argument is not HTTP compatible or does 
not have an HTTP request/response " +
                    "pair. No session ID cookie will be set.");
            return;

        }
        HttpServletRequest request = WebUtils.getHttpRequest(context);
        HttpServletResponse response = WebUtils.getHttpResponse(context);

        if (isSessionIdCookieEnabled()) {
            Serializable sessionId = session.getId();
            storeSessionId(sessionId, request, response);
        } else {
            log.debug("Session ID cookie is disabled.  No cookie has been set 
for new session with id {}", session.getId());
        }

        if (request != null) {
            
request.removeAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE);
            
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_IS_NEW, 
Boolean.TRUE);
        }
        
    }{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to