Hi Brian, 'Run As' is intended to make it in to 1.0 - it's my last decent programming task to clear 1.0 and I'll be working on it today. It is more than halfway done in the DelegatingSubject implementation - its just those methods won't be made available in the Subject interface until they're finished.
Also, everyone should try to avoid using the ThreadContext as much as possible as its usages can be brittle. The Subject interface has the execute* and associateWith* methods which perform the thread binding and unbinding automatically in all cases and those should be used depending on your needs. If you still feel that you must create your own Subject instance, the way to do that is via the Subject.Builder mechanism. That's documented here: https://cwiki.apache.org/confluence/display/SHIRO/Subject Look for the 'Subject.Builder' section - the recommended approach is the 'Automatic Association' and 'A Different Thread' sections ('Manual Association' is best left for very low level framework work). But all this might not even be necessary for you - you should check out the new Executor/ExecutorService/ScheduledExecutorService support new to 1.0 (not yet documented in the wiki) located in the org.apache.shiro.concurrent package. They are JavaDoc'd already and explain exactly why you might want to use one. Finally, as for the WebSecurityManagers failing for non-request-based interaction, that has been resolved in https://issues.apache.org/jira/browse/SHIRO-111 If a method is called that requires a request/response pair, and that pair is not available for some reason, the web-specific method is not called and only the superclass (DefaultSecurityManager) logic executes. The same principal exists in the DefaultWebSessionManager if using native sessions as well. HTH! Les On Tue, May 11, 2010 at 6:33 AM, Brian Demers <brian.dem...@gmail.com> wrote: > Hey guys, > > I was just wondering the status of 'Run As' support (Assume Identity, I > think there where a few other terms that where thrown around too) > https://issues.apache.org/jira/browse/SHIRO-25 > > I took a look at that patches and reread the previous threads. I am > assuming this isn't going to make the 1.0 ( can we bump the jira 'fix for' > version? ) > > To get this support in the past. I have done the following: > > DelegatingSubject fakeLoggedInSubject = new DelegatingSubject( > principal, /* authenticated */ true, null, null, /* Non-web */ > securityManager ); > // fake the login > ThreadContext.bind( fakeLoggedInSubject ); > > > We are not using this in production yet, but in my web app I need to use two > different SecurityManagers, one for the Web (bound to http requests) and the > default one, for this 'run as' support. We would be using the 'run as' to > run scheduled task (so there is no access to http requests) > > Are there flaws behind this approach? > > Will / does the the official support for this get around the > WebSecurityManagers need for a http request? > > Thanks, > Brian >
