[
https://issues.apache.org/jira/browse/SHIRO-380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Elijah Korneckis updated SHIRO-380:
-----------------------------------
Attachment: SHIRO-380-patch1.diff
Hi,
Here's what I've been able to piece together. I think the main difference
between the test scenario and a web app setup is that the Subject that is bound
to the tread and saved in the session is recreated between requests - in the
filter chain (see AbstractShiroFilter, line 359).
During the creation process the DefaultSecurityManager.createSubject calls it's
save method (at line 350).
That, in turn, calls DefaultSubjectDAO.mergePrincipals (at line 163): save ->
saveToSession -> mergePrincipals.
Here's where things get interesting. Consider Jochen's scenario, right after
runAs is executed:
1. The session now contains the following attributes:
* DefaultSubjectContext.PRINCIPALS_SESSION_KEY = user1
* DelegatingSubject.RUN_AS_PRINCIPALS_SESSION_KEY = [user2];
2. When the next request is fired, we enter the filter chain and get to
mergePrincipals.
At this point
PrincipalCollection currentPrincipals = subject.getPrincipals();
(DefaultSubjectDAO, line 177)
will return "user2" as it is the top item in the runAs stack.
After that
PrincipalCollection existingPrincipals = (PrincipalCollection)
session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY); (line 187)
will return "user1" as it is saved in the session.
And here the initial principal is overwritten (lines 196 to 198):
// currentPrincipals == user2, existingPrincipals = user1
if (!currentPrincipals.equals(existingPrincipals)) {
session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY,
currentPrincipals);
}
Whew, hope I got that right. I've attached a diff with changes that solved this
issue for me. The changes are rather minor - initial prinicpal is saved to
session during login and restored when the runAs stack is emptied.
P.S. All line numbers and the diff file are taken from 1.2.1 relase tag
(https://svn.apache.org/repos/asf/shiro/tags/shiro-root-1.2.1)
> runAs feature (still) doesn't work
> ----------------------------------
>
> Key: SHIRO-380
> URL: https://issues.apache.org/jira/browse/SHIRO-380
> Project: Shiro
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.2.1
> Reporter: Jochen Munz
> Assignee: Les Hazlewood
> Labels: principal,, shiro,, subject
> Attachments: SHIRO-380-patch1.diff, shiro_380_webapp.tgz
>
>
> Right after SecurityUtils.getSubject().runAs(new new
> SimplePrincipalCollection(){...})
> SecurityUtils.getSubject().getPrincipal() returns correct new Principal
> SecurityUtils.getSubject()..getPreviousPrincipals() returns correct original
> Principal
> but DefaultSubjectDAO merge principals in method
> protected void mergePrincipals(Subject subject) {
> PrincipalCollection currentPrincipals = subject.getPrincipals();
> ...
> if (session == null) {
> ...
> } else {
> PrincipalCollection existingPrincipals = (PrincipalCollection)
> session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
> if (CollectionUtils.isEmpty(currentPrincipals)) {
> ...
> } else {
> if (!currentPrincipals.equals(existingPrincipals)) {
>
> session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY,
> currentPrincipals);
> }
> }
> }
> and after that
> SecurityUtils.getSubject().getPrincipal() and
> SecurityUtils.getSubject().getPreviousPrincipals() both returns new Principal
> - this is wrong behavior
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
