On Mon, Jul 16, 2012 at 1:48 PM, Aaron <[email protected]> wrote: > I have a use case where a supervisor needs to enter there username/password > to continue certain operations. I want the current Subject to remain logged > in. My current solution is to use SecurityManager.authenticate(...) and > SecurityManager.hasRole(..). Is there a more accepted pattern or part of > the api to accomplish this?
Once you are re-authenticated, how do you demote or remove the additional roles? If you don't need to consider the case for reminder of the session, that should work fine. But you could also consider using Subject.runAs, as if the manager was running the operation (see http://shiro.apache.org/static/current/apidocs/org/apache/shiro/subject/Subject.html#runAs(org.apache.shiro.subject.PrincipalCollection). Kalle
