Hi Les, I have created a jira. For reference it is:
https://issues.apache.org/jira/browse/SHIRO-457 Cheers, Stuart On Fri, Sep 13, 2013 at 8:01 PM, Les Hazlewood <[email protected]>wrote: > Hi Stuart, > > Can you please open a Jira for this? It would be greatly appreciated! > > Thanks, > > -- > Les Hazlewood | @lhazlewood > CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 > > > On Fri, Sep 6, 2013 at 2:56 AM, Stuart Broad <[email protected]> wrote: > >> Hi, >> >> Possibly this would be better: >> >> protected Subject createSubject(AuthenticationToken token, >> AuthenticationInfo info, Subject existing) { >> >> SubjectContext context = createSubjectContext(); >> >> context.setAuthenticated(true); >> >> context.setAuthenticationToken(token); >> >> context.setAuthenticationInfo(info); >> >> context.setSecurityManager(this); *<-- Set the security manager >> before the createSubject* >> >> if (existing != null) { >> >> context.setSubject(existing); >> >> } >> >> return createSubject(context); >> >> } >> >> >> Cheers, >> >> >> Stuart >> >> >> On Fri, Sep 6, 2013 at 10:34 AM, Stuart Broad <[email protected]>wrote: >> >>> Hi, >>> >>> >>> I have run into a possible issue with regards to using the Subject >>> login(use,pwd) api when the SecurityUtils SecurityManager has not been set >>> (SecurityUtils.setSecurityManager(secMgr). I have proposed a possible >>> change but I would appreciate your advice. >>> >>> >>> The following code: >>> >>> >>> Subject currentUser = >>> newSubject.Builder(securityManager).buildSubject(); >>> >>> UsernamePasswordToken token = newUsernamePasswordToken(userName, >>> password); >>> >>> currentUser.login(token); >>> >>> >>> Results in an exception (this exception is not the end of the world as >>> later in the code the current default security manager will get set so all >>> should be ok): >>> >>> >>> 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No >>> SecurityManager available via SecurityUtils. Heuristics exhausted. >>> >>> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager >>> accessible to the calling code, either bound to the >>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >>> an invalid application configuration. >>> >>> at >>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>> ~[shiro-core-1.2.1.jar:1.2.1] >>> >>> at >>> org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) >>> ~[shiro-core-1.2.1.jar:1.2.1] >>> >>> at >>> org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) >>> [shiro-core-1.2.1.jar:1.2.1] >>> >>> at >>> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) >>> [shiro-core-1.2.1.jar:1.2.1] >>> >>> at >>> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) >>> [shiro-core-1.2.1.jar:1.2.1] >>> >>> at >>> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) >>> [shiro-core-1.2.1.jar:1.2.1] >>> >>> at >>> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) >>> [shiro-core-1.2.1.jar:1.2.1] >>> >>> >>> I think the issue rises from line 1 of the following code in >>> DefaultSecurityManager: >>> >>> >>> protected Subject createSubject(AuthenticationToken token, >>> AuthenticationInfo info, Subject existing) { >>> >>> SubjectContext context = createSubjectContext(); *<-- Results >>> in a context with no security manager* >>> >>> context.setAuthenticated(true); >>> >>> context.setAuthenticationToken(token); >>> >>> context.setAuthenticationInfo(info); >>> >>> if (existing != null) { >>> >>> context.setSubject(existing); >>> >>> } >>> >>> return createSubject(context); *<-- This complains about no >>> security manager* >>> >>> } >>> >>> >>> Could the DefaultSecurityManager code instead be as follows? >>> >>> >>> protected Subject createSubject(AuthenticationToken token, >>> AuthenticationInfo info, Subject existing) { >>> >>> SubjectContext context = createSubjectContext(); >>> >>> context.setAuthenticated(true); >>> >>> context.setAuthenticationToken(token); >>> >>> context.setAuthenticationInfo(info); >>> >>> if (existing != null) { >>> >>> context.setSubject(existing); >>> >>> context.setSecurityManager(this); *<-- Set the security >>> manager before the createSubject* >>> >>> } >>> >>> return createSubject(context); >>> >>> } >>> >>> >>> I could mask this debug message/exception but before I do that it would >>> be good to know (based on your experience) if not setting the VM static >>> security manager will result in any other issues. >>> >>> >>> I basically create a Subject in one of two ways: >>> >>> >>> (1) For Login -> new Subject.Builder(securityManager).buildSubject(); … >>> subject.login(..) >>> >>> (2) For existing session -> new >>> Subject.Builder(mSecurityManager).sessionId(sessionId).buildSubject(); ... >>> >>> >>> Cheers, >>> >>> >>> Stuart >>> >> >> >
