Hi Shiro team! First, let me thank you all for the hard work of maintaining this awesome project!
Second, I'm having trouble with runAs/releaseRunAs functionality even after 1.2.1 release. SHIRO-344 describes this issue perfectly, I'll just go into my own little investigation. The problem for me, in short, is that DefaultSubjectDAO.mergePrincipals overwrite the DefaultSubjectContext.PRINCIPALS_SESSION_KEY with the top principal from the runAsPrincipalsStack. After that the original principal (the one supplied at login) is lost and subsequent calls to SecurityUtils.getSubject() returns the last runAsPrincipal based subject. I've made this to work as expected by saving the initial principal in the session with a separate session key (during DelegatingSubject.login()) and restoring it into DefaultSubjectContext.PRINCIPALS_SESSION_KEY when releaseRunAs is called and the runAsPrincipalsStack is empty. If needed, I'll submit a diff patch. I'm still not totally convinced that this is a bug and not a config issue on my part, so any thoughts from you will be appreciated. Short description of my setup: Web app that uses the JEE6 stack and is deployed to Glassfish 3.1.2. Nothing out of the ordinary was done to integrate Shiro: * EnvironmentLoaderListener was extended to make use of CDI for realm injection * AuthorizingRealm was extended to use JPA for subject data retrieval * Standard Shiro provided filters are used: Roles and PassThrough Hope this all makes sense and thank you for your time. Best regards, Elijah Korneckis -- View this message in context: http://shiro-developer.582600.n2.nabble.com/SHIRO-344-runAs-releaseRunAs-not-restoring-to-initial-principal-tp7577643.html Sent from the Shiro Developer mailing list archive at Nabble.com.
