Hi,
Possibly this would be better:
protected Subject createSubject(AuthenticationToken token,
AuthenticationInfo info, Subject existing) {
SubjectContext context = createSubjectContext();
context.setAuthenticated(true);
context.setAuthenticationToken(token);
context.setAuthenticationInfo(info);
context.setSecurityManager(this); *<-- Set the security manager
before the createSubject*
if (existing != null) {
context.setSubject(existing);
}
return createSubject(context);
}
Cheers,
Stuart
On Fri, Sep 6, 2013 at 10:34 AM, Stuart Broad <[email protected]> wrote:
> Hi,
>
>
> I have run into a possible issue with regards to using the Subject
> login(use,pwd) api when the SecurityUtils SecurityManager has not been set
> (SecurityUtils.setSecurityManager(secMgr). I have proposed a possible
> change but I would appreciate your advice.
>
>
> The following code:
>
>
> Subject currentUser =
> newSubject.Builder(securityManager).buildSubject();
>
> UsernamePasswordToken token = new UsernamePasswordToken(userName,
> password);
>
> currentUser.login(token);
>
>
> Results in an exception (this exception is not the end of the world as
> later in the code the current default security manager will get set so all
> should be ok):
>
>
> 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No
> SecurityManager available via SecurityUtils. Heuristics exhausted.
>
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
> an invalid application configuration.
>
> at
> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
> ~[shiro-core-1.2.1.jar:1.2.1]
>
> at
> org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106)
> ~[shiro-core-1.2.1.jar:1.2.1]
>
> at
> org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411)
> [shiro-core-1.2.1.jar:1.2.1]
>
> at
> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333)
> [shiro-core-1.2.1.jar:1.2.1]
>
> at
> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
> [shiro-core-1.2.1.jar:1.2.1]
>
> at
> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283)
> [shiro-core-1.2.1.jar:1.2.1]
>
> at
> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
> [shiro-core-1.2.1.jar:1.2.1]
>
>
> I think the issue rises from line 1 of the following code in
> DefaultSecurityManager:
>
>
> protected Subject createSubject(AuthenticationToken token,
> AuthenticationInfo info, Subject existing) {
>
> SubjectContext context = createSubjectContext(); *<-- Results in
> a context with no security manager*
>
> context.setAuthenticated(true);
>
> context.setAuthenticationToken(token);
>
> context.setAuthenticationInfo(info);
>
> if (existing != null) {
>
> context.setSubject(existing);
>
> }
>
> return createSubject(context); *<-- This complains about no
> security manager*
>
> }
>
>
> Could the DefaultSecurityManager code instead be as follows?
>
>
> protected Subject createSubject(AuthenticationToken token,
> AuthenticationInfo info, Subject existing) {
>
> SubjectContext context = createSubjectContext();
>
> context.setAuthenticated(true);
>
> context.setAuthenticationToken(token);
>
> context.setAuthenticationInfo(info);
>
> if (existing != null) {
>
> context.setSubject(existing);
>
> context.setSecurityManager(this); *<-- Set the security
> manager before the createSubject*
>
> }
>
> return createSubject(context);
>
> }
>
>
> I could mask this debug message/exception but before I do that it would be
> good to know (based on your experience) if not setting the VM static
> security manager will result in any other issues.
>
>
> I basically create a Subject in one of two ways:
>
>
> (1) For Login -> new Subject.Builder(securityManager).buildSubject(); …
> subject.login(..)
>
> (2) For existing session -> new
> Subject.Builder(mSecurityManager).sessionId(sessionId).buildSubject(); ...
>
>
> Cheers,
>
>
> Stuart
>
