Les, Thanks for the pointers, this helps a lot!
On Tue, May 11, 2010 at 1:31 PM, Les Hazlewood <lhazlew...@apache.org>wrote: > Hi Brian, > > 'Run As' is intended to make it in to 1.0 - it's my last decent > programming task to clear 1.0 and I'll be working on it today. It is > more than halfway done in the DelegatingSubject implementation - its > just those methods won't be made available in the Subject interface > until they're finished. > > Also, everyone should try to avoid using the ThreadContext as much as > possible as its usages can be brittle. The Subject interface has the > execute* and associateWith* methods which perform the thread binding > and unbinding automatically in all cases and those should be used > depending on your needs. If you still feel that you must create your > own Subject instance, the way to do that is via the Subject.Builder > mechanism. > > That's documented here: > https://cwiki.apache.org/confluence/display/SHIRO/Subject > > Look for the 'Subject.Builder' section - the recommended approach is > the 'Automatic Association' and 'A Different Thread' sections ('Manual > Association' is best left for very low level framework work). > > But all this might not even be necessary for you - you should check > out the new Executor/ExecutorService/ScheduledExecutorService support > new to 1.0 (not yet documented in the wiki) located in the > org.apache.shiro.concurrent package. They are JavaDoc'd already and > explain exactly why you might want to use one. > > Finally, as for the WebSecurityManagers failing for non-request-based > interaction, that has been resolved in > https://issues.apache.org/jira/browse/SHIRO-111 > > If a method is called that requires a request/response pair, and that > pair is not available for some reason, the web-specific method is not > called and only the superclass (DefaultSecurityManager) logic > executes. The same principal exists in the DefaultWebSessionManager > if using native sessions as well. > > HTH! > > Les > > On Tue, May 11, 2010 at 6:33 AM, Brian Demers <brian.dem...@gmail.com> > wrote: > > Hey guys, > > > > I was just wondering the status of 'Run As' support (Assume Identity, I > > think there where a few other terms that where thrown around too) > > https://issues.apache.org/jira/browse/SHIRO-25 > > > > I took a look at that patches and reread the previous threads. I am > > assuming this isn't going to make the 1.0 ( can we bump the jira 'fix > for' > > version? ) > > > > To get this support in the past. I have done the following: > > > > DelegatingSubject fakeLoggedInSubject = new DelegatingSubject( > > principal, /* authenticated */ true, null, null, /* Non-web */ > > securityManager ); > > // fake the login > > ThreadContext.bind( fakeLoggedInSubject ); > > > > > > We are not using this in production yet, but in my web app I need to use > two > > different SecurityManagers, one for the Web (bound to http requests) and > the > > default one, for this 'run as' support. We would be using the 'run as' > to > > run scheduled task (so there is no access to http requests) > > > > Are there flaws behind this approach? > > > > Will / does the the official support for this get around the > > WebSecurityManagers need for a http request? > > > > Thanks, > > Brian > > >
