[
https://issues.apache.org/jira/browse/WICKET-6530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emond Papegaaij resolved WICKET-6530.
-------------------------------------
Resolution: Fixed
Fix Version/s: 6.29.0
7.10.0
8.0.0
> Race-condition in session invalidation
> --------------------------------------
>
> Key: WICKET-6530
> URL: https://issues.apache.org/jira/browse/WICKET-6530
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 7.9.0, 8.0.0-M8
> Reporter: Emond Papegaaij
> Priority: Major
> Fix For: 8.0.0, 7.10.0, 6.29.0
>
>
> Session.invalidate sets a boolean on the session that invalidation is
> required on detach. However, this boolean can be read by several requests,
> triggering multiple invalidations. A HTTP session can only be invalidated
> once, every subsequent call will trigger an IllegalStateException:
> {code:java}
> Caused by: java.lang.IllegalStateException: UT000021: Session already
> invalidated
> at
> io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:543)
> at
> io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
> at
> io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
> at
> org.apache.wicket.session.HttpSessionStore.invalidate(HttpSessionStore.java:188)
> at org.apache.wicket.Session.destroy(Session.java:493)
> at org.apache.wicket.Session.invalidateNow(Session.java:508)
> at
> org.wicketstuff.security.WaspSession.invalidateNow(WaspSession.java:117)
> at org.apache.wicket.Session.detach(Session.java:655)
> at org.wicketstuff.security.WaspSession.detach(WaspSession.java:129)
> at
> org.apache.wicket.request.cycle.RequestCycle.onDetach(RequestCycle.java:654)
> at
> org.apache.wicket.request.cycle.RequestCycle.detach(RequestCycle.java:594)
> at
> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:297)
> at
> org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
> at
> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
> at
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> ... 55 more
> {code}
> I propose to set the boolean in request metadata. I'll submit a PR later
> today to demonstrate this solution.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
