Skip to content

[#2704] [#2710] [3.x] Fixed Session fixation-related regressions#2711

Open
lprimak wants to merge 2 commits into
apache:3.xfrom
lprimak:session-fixation
Open

[#2704] [#2710] [3.x] Fixed Session fixation-related regressions#2711
lprimak wants to merge 2 commits into
apache:3.xfrom
lprimak:session-fixation

Conversation

@lprimak
Copy link
Copy Markdown
Contributor

@lprimak lprimak commented May 21, 2026
edited
Loading

Session fixation enhancements caused regressions.
Affects native session management only

fixes #2704
fixes #2710

Following this checklist to help us incorporate your contribution quickly and easily:

  • Make sure there is a GitHub issue filed
    for the change (usually before you start working on it). Trivial changes like typos do not
    require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
  • Format the pull request title like [#XXX] - Fixes bug in SessionManager,
    where you replace #XXX with the appropriate GitHub issue. Best practice
    is to use the GitHub issue title in the pull request title and in the first line of the commit message.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • add fixes #XXX if merging the PR should close a related issue.
  • Run mvn verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
  • Committers: Make sure a milestone is set on the PR
  • Committers: Use "Squash and Merge" to combine all commits into one when merging a PR when appropriate.

Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like [DOC] - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

@github-actions github-actions Bot added java Pull requests that update Java code tests labels May 21, 2026
@lprimak lprimak changed the title Session fixation Fixed Session fixation-related regressions May 21, 2026
@lprimak lprimak changed the title Fixed Session fixation-related regressions [#2704] [#2710] [3.x] Fixed Session fixation-related regressions May 21, 2026
@lprimak lprimak added this to the 3.0.0 milestone May 21, 2026
@lprimak lprimak self-assigned this May 21, 2026
@sepe81 sepe81 mentioned this pull request May 21, 2026
Open
1 task
sepe81

This comment was marked as resolved.

Sign in to view

@apupier
Copy link
Copy Markdown

apupier commented May 21, 2026

I backported the fix to 2.22.0 locally and tested with Apache Camel (the project which reported the issue initially). it is working fine on Camel side.

I tried with main branch 3.x with Apache Camel but there is a differnt error:

java.lang.IllegalArgumentException: URI is not absolute
	at java.base/java.net.URL.of(URL.java:862)
	at java.base/java.net.URI.toURL(URI.java:1172)
	at org.apache.shiro.lang.io.ResourceUtils.getURLForPath(ResourceUtils.java:152)
	at org.apache.shiro.lang.io.ResourceUtils.getInputStreamForPath(ResourceUtils.java:124)
	at org.apache.shiro.config.Ini.loadFromPath(Ini.java:270)
	at org.apache.camel.component.shiro.security.ShiroSecurityPolicy.<init>(ShiroSecurityPolicy.java:59)
	at org.apache.camel.component.shiro.security.ShiroSecurityPolicy.<init>(ShiroSecurityPolicy.java:71)
	at org.apache.camel.component.shiro.security.ShiroSecurityPolicy.<init>(ShiroSecurityPolicy.java:81)
	at org.apache.camel.component.shiro.security.ShiroRolesAuthorizationTest$1.configure(ShiroRolesAuthorizationTest.java:135)

The provided value for the Ini.loadFromPath is src/test/resources/securityconfig.ini

A last note is that when backporting to 2.20, it is working fine for Camel as I mentioned but I have tests failures in Apache Shiro (but maybe I have not backported correctly?):

[�[1;34mINFO�[m] �[1m--- �[0;32mexec:3.6.3:exec�[m �[1m(start-domain)�[m @ �[36mshiro-its-jakarta-ee�[0;1m ---�[m
Waiting for domain1 to start .Error starting domain domain1.
The server exited prematurely with exit code 1.
Before it died, it produced the following output:

Launching Payara Server on Felix platform
ERROR: Error parsing system bundle statement.
ERROR: Bundle org.glassfish.hk2.osgi-resource-locator [1] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/osgi-resource-locator.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.osgi-resource-locator [1](R 1.0): missing requirement [org.glassfish.hk2.osgi-resource-locator [1](R 1.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.8.0)(!(version>=2.0.0))) Unresolved requirements: [[org.glassfish.hk2.osgi-resource-locator [1](R 1.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.8.0)(!(version>=2.0.0)))])
ERROR: Bundle org.glassfish.hk2.utils [2] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/hk2-utils.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.utils [2](R 2.0): missing requirement [org.glassfish.hk2.utils [2](R 2.0)] osgi.wiring.package; (osgi.wiring.package=javax.xml.namespace) Unresolved requirements: [[org.glassfish.hk2.utils [2](R 2.0)] osgi.wiring.package; (osgi.wiring.package=javax.xml.namespace)])
ERROR: Bundle org.glassfish.hk2.api [3] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/hk2-api.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.api [3](R 3.0): missing requirement [org.glassfish.hk2.api [3](R 3.0)] osgi.wiring.package; (&(osgi.wiring.package=org.glassfish.hk2.utilities.reflection)(version>=2.6.0)(!(version>=3.0.0))) [caused by: Unable to resolve org.glassfish.hk2.utils [2](R 2.0): missing requirement [org.glassfish.hk2.utils [2](R 2.0)] osgi.wiring.package; (&(osgi.wiring.package=javax.inject)(version>=1.0.0)(!(version>=2.0.0))) [caused by: Unable to resolve org.glassfish.hk2.external.jakarta.inject [311](R 311.0): missing requirement [org.glassfish.hk2.external.jakarta.inject [311](R 311.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8))]] Unresolved requirements: [[org.glassfish.hk2.api [3](R 3.0)] osgi.wiring.package; (&(osgi.wiring.package=org.glassfish.hk2.utilities.reflection)(version>=2.6.0)(!(version>=3.0.0)))])
ERROR: Bundle org.objectweb.asm.util [40] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/asm-util.jar (org.osgi.framework.BundleException: Unable to resolve org.objectweb.asm.util [40](R 40.0): missing requirement [org.objectweb.asm.util [40](R 40.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0)) [caused by: Unable to resolve org.objectweb.asm [75](R 75.0): missing requirement [org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0))] Unresolved requirements: [[org.objectweb.asm.util [40](R 40.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0))])
ERROR: Bundle org.objectweb.asm [75] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/asm.jar (org.osgi.framework.BundleException: Unable to resolve org.objectweb.asm [75](R 75.0): missing requirement [org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0)) Unresolved requirements: [[org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0))])
ERROR: Bundle org.objectweb.asm.commons [106] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/asm-commons.jar (org.osgi.framework.BundleException: Unable to resolve org.objectweb.asm.commons [106](R 106.0): missing requirement [org.objectweb.asm.commons [106](R 106.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0)) [caused by: Unable to resolve org.objectweb.asm [75](R 75.0): missing requirement [org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0))] Unresolved requirements: [[org.objectweb.asm.commons [106](R 106.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0))])
ERROR: Bundle fish.payara.server.internal.hk2.config [154] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/hk2-config.jar (org.osgi.framework.BundleException: Unable to resolve fish.payara.server.internal.hk2.config [154](R 154.0): missing requirement [fish.payara.server.internal.hk2.config [154](R 154.0)] osgi.wiring.package; (osgi.wiring.package=javax.management) Unresolved requirements: [[fish.payara.server.internal.hk2.config [154](R 154.0)] osgi.wiring.package; (osgi.wiring.package=javax.management)])
ERROR: Bundle org.glassfish.hk2.osgi-adapter [174] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/osgi-adapter.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.osgi-adapter [174](R 174.0): missing requirement [org.glassfish.hk2.osgi-adapter [174](R 174.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.5.0)(!(version>=2.0.0))) Unresolved requirements: [[org.glassfish.hk2.osgi-adapter [174](R 174.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.5.0)(!(version>=2.0.0)))])
ERROR: Bundle fish.payara.server.internal.hk2.config-types [197] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/config-types.jar (org.osgi.framework.BundleException: Unable to resolve fish.payara.server.internal.hk2.config-types [197](R 197.0): missing requirement [fish.payara.server.internal.hk2.config-types [197](R 197.0)] osgi.wiring.package; (&(osgi.wiring.package=org.glassfish.hk2.utilities)(version>=2.6.0)(!(version>=3.0.0))) [caused by: Unable to resolve org.glassfish.hk2.api [3](R 3.0): missing requirement [org.glassfish.hk2.api [3](R 3.0)] osgi.wiring.package; (&(osgi.wiring.package=javax.inject)(version>=1.0.0)(!(version>=2.0.0))) [caused by: Unable to resolve org.glassfish.hk2.external.jakarta.inject [311](R 311.0): missing requirement [org.glassfish.hk2.external.jakarta.inject [311](R 311.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8))]] Unresolved requirements: [[fish.payara.server.internal.hk2.config-types [197](R 197.0)] osgi.wiring.package; (&(osgi.wiring.package=org.glassfish.hk2.utilities)(version>=2.6.0)(!(version>=3.0.0)))])
ERROR: Bundle org.objectweb.asm.tree [205] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/asm-tree.jar (org.osgi.framework.BundleException: Unable to resolve org.objectweb.asm.tree [205](R 205.0): missing requirement [org.objectweb.asm.tree [205](R 205.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0)) [caused by: Unable to resolve org.objectweb.asm [75](R 75.0): missing requirement [org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0))] Unresolved requirements: [[org.objectweb.asm.tree [205](R 205.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0))])
ERROR: Bundle org.glassfish.hk2.class-model [270] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/class-model.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.class-model [270](R 270.0): missing requirement [org.glassfish.hk2.class-model [270](R 270.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.4.0)(!(version>=10.0.0))) [caused by: Unable to resolve org.objectweb.asm [75](R 75.0): missing requirement [org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0))] Unresolved requirements: [[org.glassfish.hk2.class-model [270](R 270.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.4.0)(!(version>=10.0.0)))])
ERROR: Bundle org.glassfish.hk2.runlevel [272] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/hk2-runlevel.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.runlevel [272](R 272.0): missing requirement [org.glassfish.hk2.runlevel [272](R 272.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8)) Unresolved requirements: [[org.glassfish.hk2.runlevel [272](R 272.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8))])
ERROR: Bundle org.glassfish.hk2.locator [297] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/hk2-locator.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.locator [297](R 297.0): missing requirement [org.glassfish.hk2.locator [297](R 297.0)] osgi.wiring.package; (&(osgi.wiring.package=org.glassfish.hk2.api.messaging)(version>=2.6.0)(!(version>=3.0.0))) [caused by: Unable to resolve org.glassfish.hk2.api [3](R 3.0): missing requirement [org.glassfish.hk2.api [3](R 3.0)] osgi.wiring.package; (&(osgi.wiring.package=javax.inject)(version>=1.0.0)(!(version>=2.0.0))) [caused by: Unable to resolve org.glassfish.hk2.external.jakarta.inject [311](R 311.0): missing requirement [org.glassfish.hk2.external.jakarta.inject [311](R 311.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8))]] Unresolved requirements: [[org.glassfish.hk2.locator [297](R 297.0)] osgi.wiring.package; (&(osgi.wiring.package=org.glassfish.hk2.api.messaging)(version>=2.6.0)(!(version>=3.0.0)))])
ERROR: Bundle org.glassfish.hk2.external.jakarta.inject [311] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/jakarta.inject.jar (org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.external.jakarta.inject [311](R 311.0): missing requirement [org.glassfish.hk2.external.jakarta.inject [311](R 311.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8)) Unresolved requirements: [[org.glassfish.hk2.external.jakarta.inject [311](R 311.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.8))])
ERROR: Bundle fish.payara.server.internal.core.glassfish [363] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/glassfish.jar (org.osgi.framework.BundleException: Unable to resolve fish.payara.server.internal.core.glassfish [363](R 363.0): missing requirement [fish.payara.server.internal.core.glassfish [363](R 363.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.9.0)(!(version>=2.0.0))) Unresolved requirements: [[fish.payara.server.internal.core.glassfish [363](R 363.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.9.0)(!(version>=2.0.0)))])
ERROR: Bundle org.objectweb.asm.tree.analysis [376] Error starting file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/modules/asm-analysis.jar (org.osgi.framework.BundleException: Unable to resolve org.objectweb.asm.tree.analysis [376](R 376.0): missing requirement [org.objectweb.asm.tree.analysis [376](R 376.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0)) [caused by: Unable to resolve org.objectweb.asm [75](R 75.0): missing requirement [org.objectweb.asm [75](R 75.0)] osgi.ee; (&(osgi.ee=JavaSE)(version=1.5.0))] Unresolved requirements: [[org.objectweb.asm.tree.analysis [376](R 376.0)] osgi.wiring.package; (&(osgi.wiring.package=org.objectweb.asm.signature)(version>=9.7.0))])
WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::staticFieldOffset has been called by org.apache.felix.framework.util.SecureAction (file:/home/apupier/git/shiro/integration-tests/jakarta-ee/target/dependency/payara5/glassfish/osgi/felix/bin/felix.jar)
WARNING: Please consider reporting this to the maintainers of class org.apache.felix.framework.util.SecureAction
WARNING: sun.misc.Unsafe::staticFieldOffset will be removed in a future release
org.osgi.framework.BundleException: Exported package names cannot be zero length.
	at org.apache.felix.framework.util.manifestparser.ManifestParser.normalizeExportClauses(ManifestParser.java:902)
	at org.apache.felix.framework.util.manifestparser.ManifestParser.<init>(ManifestParser.java:254)
	at org.apache.felix.framework.ExtensionManager$ExtensionManagerRevision.update(ExtensionManager.java:1015)
	at org.apache.felix.framework.ExtensionManager$ExtensionManagerRevision.access$000(ExtensionManager.java:918)
	at org.apache.felix.framework.ExtensionManager.updateRevision(ExtensionManager.java:390)
	at org.apache.felix.framework.Felix.init(Felix.java:760)
	at org.apache.felix.framework.Felix.init(Felix.java:648)
	at com.sun.enterprise.glassfish.bootstrap.osgi.OSGiFrameworkLauncher$1.run(OSGiFrameworkLauncher.java:99)
May 21, 2026 10:07:51 AM com.sun.enterprise.glassfish.bootstrap.osgi.BundleProvisioner createBundleProvisioner
INFO: Create bundle provisioner class = class com.sun.enterprise.glassfish.bootstrap.osgi.BundleProvisioner.
org.osgi.framework.BundleException: Unable to resolve org.glassfish.hk2.osgi-resource-locator [1](R 1.0): missing requirement [org.glassfish.hk2.osgi-resource-locator [1](R 1.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.8.0)(!(version>=2.0.0))) Unresolved requirements: [[org.glassfish.hk2.osgi-resource-locator [1](R 1.0)] osgi.wiring.package; (&(osgi.wiring.package=org.osgi.framework)(version>=1.8.0)(!(version>=2.0.0)))]
	at org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4398)
	at org.apache.felix.framework.Felix.startBundle(Felix.java:2308)
	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1566)
	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:297)
	at java.base/java.lang.Thread.run(Thread.java:1474)

here is the branch I used for the backport: https://github.com/apupier/shiro/pull/new/backport-session-fixation

@lprimak
Copy link
Copy Markdown
Contributor Author

lprimak commented May 21, 2026

That is not going to be an issue as subject is the root of the object graph and there is only one session per subject

One question regarding the placement of the snapshot/restore in beforeSuccessfulLogin(): after stopSession() you call subject.getSession() to obtain the new session and restore the attributes into it — but createSubject() hasn't run yet at that point. Is there a guarantee that createSubject() will always reuse that intermediate session rather than creating another one? I'm wondering if snapshotting before beforeSuccessfulLogin() and restoring to the subject returned by createSubject() (i.e. directly in login()) would be more robust, since it operates on the final authenticated subject with no ambiguity about which session ends up in use.

@lprimak
Copy link
Copy Markdown
Contributor Author

lprimak commented May 21, 2026

@apupier see #2715

@apupier
Copy link
Copy Markdown

apupier commented May 21, 2026

@apupier see #2715

with both fixes, the tests are passing for Apache Camel with the 3.x version of shiro

@lprimak lprimak requested review from bmarwell and fpapon May 23, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fpapon fpapon Awaiting requested review from fpapon

@bmarwell bmarwell Awaiting requested review from bmarwell

1 more reviewer

@sepe81 sepe81 sepe81 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@lprimak lprimak

Labels

java Pull requests that update Java code tests

Projects

None yet

Milestone

3.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@lprimak @apupier @sepe81