I see the internals of Shiro have been changed quite a bit in r806735.
ShiroFilter.bind() now does:
Subject subject = new WebSubjectBuilder(getSecurityManager(),
request, response).build();
WebThreadStateManager threadState = new
WebThreadStateManager(subject, request, response);
threadState.bindThreadState();
which for Tapestry integration I'm working on results in:
java.lang.IllegalStateException: No ServletRequest found in
ThreadContext. Make sure WebUtils.bind() is being called. (typically
called by ShiroFilter) This could also happen when running
integration tests that don't properly call WebUtils.bind().
at
org.apache.shiro.web.WebUtils.getRequiredServletRequest(WebUtils.java:351)
at
org.apache.shiro.web.session.ServletContainerSessionManager.doGetSession(ServletContainerSessionManager.java:69)
at
org.apache.shiro.session.mgt.AbstractSessionManager.getSession(AbstractSessionManager.java:246)
at
org.apache.shiro.session.mgt.AbstractSessionManager.checkValid(AbstractSessionManager.java:265)
at
org.apache.shiro.mgt.SessionsSecurityManager.checkValid(SessionsSecurityManager.java:294)
at
org.apache.shiro.mgt.DefaultSecurityManager.getSession(DefaultSecurityManager.java:196)
at
org.apache.shiro.mgt.DefaultSecurityManager.resolveSessionIfNecessary(DefaultSecurityManager.java:437)
at
org.apache.shiro.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:403)
at org.apache.shiro.subject.SubjectBuilder.build(SubjectBuilder.java:95)
at
org.trailsframework.security.services.SecurityConfiguration.service(SecurityConfiguration.java:87)
I.e. WebSubject requires the request is already bound to thread
context, but WebThreadStateManager (that's supposed to bind it)
requires a subject to exist. If I call WebUtils.bind(request)
before instantiating a WebSubjectBuilder, everything works. Les, is it
expected I still need to bind the request/response separately or
perhaps this is a defect/refactoring still in progress?
Kalle
