Spent a bit more time on this. The issue in this specific case is line 81 of SecureRemoteInvocationFactory.createRemoteInvocation where SecurityUtils.getSubject(); is called. This fails on IllegalStateException when the Subject.Builder tries to obtain the SecurityManager from SecurityUtils (but it doesn't need to be set at all on the client side). The heuristics to obtain the sessionid from the systemproperty (a bit later in createRemoteInvocation) is never given a chance to work. We could probably fix that in SecureRemoteInvocationFactory, but the way this is written makes me suspect that SecurityUtils.getSubject() was previously not allowed to fail and didn't throw exceptions which likely explains other similar failure cases users have recently reported.
I think we need to do three things: 1) Decide what is the contract for the Subject.Builder - is it allowed to fail or should it always return a subject 2) Break the circular dependency between SecurityUtils.getSubject -> Subject.Builder.buildSubject() -> SecurityUtils.getSecurityManager(). I think SecurityUtils is nothing more than a convenience and internally, we need to be careful about *not* using it. 3) Add unit tests to SecureRemoteInvocationFactory to cover all cases for heuristics Once we resolve these, fixing the Spring sample shouldn't be too difficult. Les, you probably need to work on some of the above items or at least give your input. Note that the current sample that's committed isn't runnable at the moment (the webstart libs are not copied to the right location and the jnlp lib entries are wrong, etc.). Kalle On Fri, Feb 19, 2010 at 1:49 PM, Les Hazlewood <[email protected]> wrote: > Ah, ok - I'll check that out this weekend and hopefully find out 1) > why and 2) come up with a clear way to try and make sure it won't > happen regularly. > > On Fri, Feb 19, 2010 at 4:21 PM, Kalle Korhonen > <[email protected]> wrote: >> Yeah, you are overthinking it :) That's exactly the same thought I >> had, but then I simply decided we can always move it around later if >> and when users get confused about it. Why do it right away, the cost >> of doing it later is no bigger than it is today. >> >> Anyway, I'm at the point with it where I can log in and start up the >> Webstart client but it fails on "No SecurityManager accessible to the >> calling code..." when its trying to initialize WebStartView and >> calling SecurityUtils.getSubject() as part of the process. I do find >> it ironic that I'm tripping over the same code that quite a few users >> have complained about (I think there's even a user thread exactly on >> this topic when using Spring standalone sample). So while I do know >> what that the problem is (that the SecurityManager is not set either >> as static property of SecurityUtils or in the thread context) I'm not >> absolutely sure what and where is the SecurityManager supposed to be >> set in this environment. >> >> Kalle >> >> >> On Fri, Feb 19, 2010 at 11:12 AM, Les Hazlewood <[email protected]> >> wrote: >>> My concern was that people would probably look at each peer directory >>> in the examples project as a self-contained runnable application and >>> could be really confused as to how the webstart one would work. Maybe >>> not though - maybe I'm just thinking about it too much :) >>> >>> On Fri, Feb 19, 2010 at 1:28 PM, Kalle Korhonen >>> <[email protected]> wrote: >>>> I considered that but didn't see it as too beneficial to make the >>>> module hierarchy deeper. We would need to introduce a new parent pom >>>> for spring module and put both the war and the jar modules underneath. >>>> However, we only need the war to package it up as it'll contain the >>>> jar module. Sure, spring-client cannot be run as a standalone sample >>>> but I don't think it should be too confusing. If we prefer to move it >>>> to it's own multi-module build we can do that later. >>>> >>>> Kalle >>>> >>>> >>>> On Fri, Feb 19, 2010 at 10:07 AM, Les Hazlewood <[email protected]> >>>> wrote: >>>>> I just realized that this module is a peer to the spring webapp that >>>>> launches it via webstart. Shouldn't it be a module underneath a web >>>>> project since it can't reside on its own without the webapp? Just >>>>> trying to understand the reasoning... >>>>> >>>>> On Fri, Feb 19, 2010 at 9:21 AM, Les Hazlewood <[email protected]> >>>>> wrote: >>>>>> This is awesome, thanks! >>>>>> >>>>>> On Fri, Feb 19, 2010 at 2:25 AM, <[email protected]> wrote: >>>>>>> Author: kaosko >>>>>>> Date: Fri Feb 19 07:25:50 2010 >>>>>>> New Revision: 911722 >>>>>>> >>>>>>> URL: http://svn.apache.org/viewvc?rev=911722&view=rev >>>>>>> Log: >>>>>>> SHIRO-89: Sample Spring Application - WebStart won't launch >>>>>>> - Refactor Spring sample client from Spring sample into its own module >>>>>>> to make packaging & dependency management easier and simpler. Work in >>>>>>> progress >>>>>>> >>>>>>> Added: >>>>>>> incubator/shiro/trunk/samples/spring-client/ >>>>> >>>> >>> >> >
