Subject: Memory leak related to permissions


Again, I'm not entirely sure, but I've found some hints that for basic-auth strategy, we don't want the servlet container to create any HttpSession objects at all. So a possible fix would be to tell Shiro not to create a HttpSession object, whenever we are using basic-auth strategy.

I'm working on this ...

// Basic auth should never create sessions ...

request.setAttribute("org.apache.shiro.subject.support.DefaultSubjectContext.SESSION_CREATION_ENABLED", Boolean.FALSE);

On 2019/08/03 12:52:49, Andi Huber <[EMAIL PROTECTED]> wrote: