[Bug] `getRunAsPrincipalsStack` can throw random exceptions when the session is invalid

[boris-petrov]

Search before asking

• I had searched in the issues and found no similar issues.

Environment

Tomcat, Java 24.

Shiro version

2.0.2

What was the actual outcome?

After the fix in #372 I expected that getPrincipal would never blow up even if the session has expired. That's not true in a Tomcat environment, however. Check the stacktrace below:

java.lang.IllegalStateException: The request object has been recycled and is no longer associated with this facade
        at org.apache.catalina.connector.RequestFacade.checkFacade(RequestFacade.java:856)
        at org.apache.catalina.connector.RequestFacade.removeAttribute(RequestFacade.java:419)
        at javax.servlet.ServletRequestWrapper.removeAttribute(ServletRequestWrapper.java:246)
        at org.apache.shiro.web.session.mgt.DefaultWebSessionManager.onInvalidation(DefaultWebSessionManager.java:306)
        at org.apache.shiro.web.session.mgt.DefaultWebSessionManager.onExpiration(DefaultWebSessionManager.java:294)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.validate(AbstractValidatingSessionManager.java:143)
        at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:149)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:153)
        at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:250)
        at org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141)
        at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121)
        at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:476)
        at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:159)
        at org.apache.shiro.subject.support.DelegatingSubject.getPrincipal(DelegatingSubject.java:155)
        ...

What was the expected outcome?

No exception. I'm not sure how best to handle that. Perhaps the DefaultWebSessionManager should handle IllegalStateException in onInvalidation? Ideas?

cc @lprimak

How to reproduce

Create a web session inside Tomcat, expire it and call getPrincipal on the Subject.

Debug logs

No response

[lprimak]

Nice find!
Can you test out my PR to see if it fixes your issue?
Thank you!

[boris-petrov]

@lprimak thank you for the quick response and fix! Yes, your PR works fine and my application doesn't crash any more. I'll be eagerly awaiting a new release with the fix. 😄