Hi Stuart, Can you please open a Jira for this? It would be greatly appreciated!
Thanks, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Fri, Sep 6, 2013 at 2:56 AM, Stuart Broad <[email protected]> wrote: > Hi, > > Possibly this would be better: > > protected Subject createSubject(AuthenticationToken token, > AuthenticationInfo info, Subject existing) { > > SubjectContext context = createSubjectContext(); > > context.setAuthenticated(true); > > context.setAuthenticationToken(token); > > context.setAuthenticationInfo(info); > > context.setSecurityManager(this); *<-- Set the security manager > before the createSubject* > > if (existing != null) { > > context.setSubject(existing); > > } > > return createSubject(context); > > } > > > Cheers, > > > Stuart > > > On Fri, Sep 6, 2013 at 10:34 AM, Stuart Broad <[email protected]> wrote: > >> Hi, >> >> >> I have run into a possible issue with regards to using the Subject >> login(use,pwd) api when the SecurityUtils SecurityManager has not been set >> (SecurityUtils.setSecurityManager(secMgr). I have proposed a possible >> change but I would appreciate your advice. >> >> >> The following code: >> >> >> Subject currentUser = >> newSubject.Builder(securityManager).buildSubject(); >> >> UsernamePasswordToken token = newUsernamePasswordToken(userName, >> password); >> >> currentUser.login(token); >> >> >> Results in an exception (this exception is not the end of the world as >> later in the code the current default security manager will get set so all >> should be ok): >> >> >> 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No >> SecurityManager available via SecurityUtils. Heuristics exhausted. >> >> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager >> accessible to the calling code, either bound to the >> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >> an invalid application configuration. >> >> at >> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >> ~[shiro-core-1.2.1.jar:1.2.1] >> >> at >> org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) >> ~[shiro-core-1.2.1.jar:1.2.1] >> >> at >> org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) >> [shiro-core-1.2.1.jar:1.2.1] >> >> at >> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) >> [shiro-core-1.2.1.jar:1.2.1] >> >> at >> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) >> [shiro-core-1.2.1.jar:1.2.1] >> >> at >> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) >> [shiro-core-1.2.1.jar:1.2.1] >> >> at >> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) >> [shiro-core-1.2.1.jar:1.2.1] >> >> >> I think the issue rises from line 1 of the following code in >> DefaultSecurityManager: >> >> >> protected Subject createSubject(AuthenticationToken token, >> AuthenticationInfo info, Subject existing) { >> >> SubjectContext context = createSubjectContext(); *<-- Results >> in a context with no security manager* >> >> context.setAuthenticated(true); >> >> context.setAuthenticationToken(token); >> >> context.setAuthenticationInfo(info); >> >> if (existing != null) { >> >> context.setSubject(existing); >> >> } >> >> return createSubject(context); *<-- This complains about no >> security manager* >> >> } >> >> >> Could the DefaultSecurityManager code instead be as follows? >> >> >> protected Subject createSubject(AuthenticationToken token, >> AuthenticationInfo info, Subject existing) { >> >> SubjectContext context = createSubjectContext(); >> >> context.setAuthenticated(true); >> >> context.setAuthenticationToken(token); >> >> context.setAuthenticationInfo(info); >> >> if (existing != null) { >> >> context.setSubject(existing); >> >> context.setSecurityManager(this); *<-- Set the security >> manager before the createSubject* >> >> } >> >> return createSubject(context); >> >> } >> >> >> I could mask this debug message/exception but before I do that it would >> be good to know (based on your experience) if not setting the VM static >> security manager will result in any other issues. >> >> >> I basically create a Subject in one of two ways: >> >> >> (1) For Login -> new Subject.Builder(securityManager).buildSubject(); … >> subject.login(..) >> >> (2) For existing session -> new >> Subject.Builder(mSecurityManager).sessionId(sessionId).buildSubject(); ... >> >> >> Cheers, >> >> >> Stuart >> > >
