[ https://issues.apache.org/jira/browse/WICKET-6530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emond Papegaaij resolved WICKET-6530. ------------------------------------- Resolution: Fixed Fix Version/s: 6.29.0 7.10.0 8.0.0 > Race-condition in session invalidation > -------------------------------------- > > Key: WICKET-6530 > URL: https://issues.apache.org/jira/browse/WICKET-6530 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 7.9.0, 8.0.0-M8 > Reporter: Emond Papegaaij > Priority: Major > Fix For: 8.0.0, 7.10.0, 6.29.0 > > > Session.invalidate sets a boolean on the session that invalidation is > required on detach. However, this boolean can be read by several requests, > triggering multiple invalidations. A HTTP session can only be invalidated > once, every subsequent call will trigger an IllegalStateException: > {code:java} > Caused by: java.lang.IllegalStateException: UT000021: Session already > invalidated > at > io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:543) > at > io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529) > at > io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198) > at > org.apache.wicket.session.HttpSessionStore.invalidate(HttpSessionStore.java:188) > at org.apache.wicket.Session.destroy(Session.java:493) > at org.apache.wicket.Session.invalidateNow(Session.java:508) > at > org.wicketstuff.security.WaspSession.invalidateNow(WaspSession.java:117) > at org.apache.wicket.Session.detach(Session.java:655) > at org.wicketstuff.security.WaspSession.detach(WaspSession.java:129) > at > org.apache.wicket.request.cycle.RequestCycle.onDetach(RequestCycle.java:654) > at > org.apache.wicket.request.cycle.RequestCycle.detach(RequestCycle.java:594) > at > org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:297) > at > org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) > at > org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) > at > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) > ... 55 more > {code} > I propose to set the boolean in request metadata. I'll submit a PR later > today to demonstrate this solution. -- This message was sent by Atlassian JIRA (v7.6.3#76005)