I believe you can be sure your security data is specific to the authenticated
user if bound to shiro session and that it is disposed of when calling
session.stop(); at least that is how I read the API.
Yet, quote from API:
"org.apache.shiro.session
Interface Session
All Known Subinterfaces:
ValidatingSession
All Known Implementing Classes:
DelegatingSession, *HttpServletSession*, ImmutableProxiedSession,
ProxiedSession, SimpleSession"
"public class HttpServletSession
extends Object
implements Session
Session implementation that is backed entirely by a standard servlet
container HttpSession instance. It does not interact with any of Shiro's
session-related components SessionManager, SecurityManager, etc, and instead
satisfies all method implementations by interacting with a servlet container
provided HttpSession instance. "
Does this mean your session's data might get leaked because the container
exposes its HttpServletSession to something I am not aware of? As far as I
understand it, in a web context the shiro session is actually an
HttpServletSession provided by the container.
Hm, not sure, not sure at all, but I would feel kind of uneasy not knowing
who / what has access to the session and whether sensitive data might get
leaked.
Sorry, I do not know enough about this topic to assist you but maybe
somebody else?
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Use-of-Session-as-a-context-bucket-tp7579404p7579416.html
Sent from the Shiro User mailing list archive at Nabble.com.
