[#2713] [3.0] bugfix: using atomics for session updates#2712
Draft
lprimak wants to merge 4 commits into
Draft
Conversation
lprimak
changed the title
lprimak
changed the title
There was a problem hiding this comment.
Pull request overview
This PR aims to address issue #2713 by making SimpleSession state updates (timestamps, timeout, expired flag, and attributes) more concurrency-safe, improving cross-thread visibility of session mutations that can affect timeout/expiration behavior.
Changes:
- Replace
stopTimestamp,lastAccessTime,timeout, andexpiredwithAtomicReference/AtomicLong/AtomicBooleanwrappers. - Use
ConcurrentHashMapfor session attributes and update lazy initialization accordingly. - Update custom Java serialization logic (
writeObject/readObject) to read/write the underlying values.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
core/src/main/java/org/apache/shiro/session/mgt/SimpleSession.java:525
- In readObject, attributes are deserialized directly into the session. Older serialized sessions may contain a non-concurrent Map (e.g., HashMap), which defeats the new thread-safety expectations for attributes and can reintroduce concurrency issues. Consider wrapping the deserialized map in a ConcurrentHashMap (or reusing setAttributes) after reading it from the stream.
if (isFieldPresent(bitMask, HOST_BIT_MASK)) {
this.host = in.readUTF();
}
if (isFieldPresent(bitMask, ATTRIBUTES_BIT_MASK)) {
this.attributes = (Map<Object, Object>) in.readObject();
}
Comment on lines
+461
to
+471
| if (stopTimestamp.get() != null) { | ||
| out.writeObject(stopTimestamp.get()); | ||
| } | ||
| if (lastAccessTime != null) { | ||
| out.writeObject(lastAccessTime); | ||
| if (lastAccessTime.get() != null) { | ||
| out.writeObject(lastAccessTime.get()); | ||
| } | ||
| if (timeout != 0L) { | ||
| out.writeLong(timeout); | ||
| if (timeout.get() != 0L) { | ||
| out.writeLong(timeout.get()); | ||
| } | ||
| if (expired) { | ||
| out.writeBoolean(expired); | ||
| if (expired.get()) { | ||
| out.writeBoolean(expired.get()); |
Comment on lines
+462
to
480
| var stopTimestamp = getStopTimestamp(); | ||
| if (stopTimestamp != null) { | ||
| out.writeObject(stopTimestamp); | ||
| } | ||
|
|
||
| var lastAccessTime = getLastAccessTime(); | ||
| if (lastAccessTime != null) { | ||
| out.writeObject(lastAccessTime); | ||
| } | ||
|
|
||
| var timeout = getTimeout(); | ||
| if (timeout != 0L) { | ||
| out.writeLong(timeout); | ||
| } | ||
|
|
||
| var expired = isExpired(); | ||
| if (expired) { | ||
| out.writeBoolean(expired); | ||
| } |
Comment on lines
198
to
202
| } | ||
|
|
||
| public void setAttributes(Map<Object, Object> attributes) { | ||
| this.attributes = attributes; | ||
| this.attributes = attributes == null ? null : new ConcurrentHashMap<>(attributes); | ||
| } |
Comment on lines
94
to
110
| // ============================================================== | ||
| private transient Serializable id; | ||
| private transient Date startTimestamp; | ||
| private transient Date stopTimestamp; | ||
| private transient Date lastAccessTime; | ||
| private transient long timeout; | ||
| private transient boolean expired; | ||
| private transient AtomicReference<Date> stopTimestamp; | ||
| private transient AtomicReference<Date> lastAccessTime; | ||
| private transient AtomicLong timeout; | ||
| private transient AtomicBoolean expired = new AtomicBoolean(); | ||
| private transient String host; | ||
| private transient Map<Object, Object> attributes; | ||
| private transient volatile Map<Object, Object> attributes; | ||
|
|
||
| public SimpleSession() { | ||
| //TODO - remove concrete reference to DefaultSessionManager | ||
| this.timeout = DefaultSessionManager.DEFAULT_GLOBAL_SESSION_TIMEOUT; | ||
| this.timeout = new AtomicLong(DefaultSessionManager.DEFAULT_GLOBAL_SESSION_TIMEOUT); | ||
| this.startTimestamp = new Date(); | ||
| this.lastAccessTime = this.startTimestamp; | ||
| this.stopTimestamp = new AtomicReference<>(); | ||
| this.lastAccessTime = new AtomicReference<>(this.startTimestamp); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #2713
Following this checklist to help us incorporate your contribution quickly and easily:
for the change (usually before you start working on it). Trivial changes like typos do not
require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
[#XXX] - Fixes bug in SessionManager,where you replace
#XXXwith the appropriate GitHub issue. Best practiceis to use the GitHub issue title in the pull request title and in the first line of the commit message.
fixes #XXXif merging the PR should close a related issue.mvn verifyto make sure basic checks pass. A more thorough check will be performed on your pull request automatically.Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like
[DOC] - Add javadoc in SessionManager.If this is your first contribution, you have to read the Contribution Guidelines
If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.
To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.