Thanks! -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Mon, Sep 16, 2013 at 1:45 AM, Stuart Broad <[email protected]> wrote: > Hi Les, > > I have created a jira. For reference it is: > > https://issues.apache.org/jira/browse/SHIRO-457 > > Cheers, > > Stuart > > > On Fri, Sep 13, 2013 at 8:01 PM, Les Hazlewood <[email protected]>wrote: > >> Hi Stuart, >> >> Can you please open a Jira for this? It would be greatly appreciated! >> >> Thanks, >> >> -- >> Les Hazlewood | @lhazlewood >> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 >> >> >> On Fri, Sep 6, 2013 at 2:56 AM, Stuart Broad <[email protected]> wrote: >> >>> Hi, >>> >>> Possibly this would be better: >>> >>> protected Subject createSubject(AuthenticationToken token, >>> AuthenticationInfo info, Subject existing) { >>> >>> SubjectContext context = createSubjectContext(); >>> >>> context.setAuthenticated(true); >>> >>> context.setAuthenticationToken(token); >>> >>> context.setAuthenticationInfo(info); >>> >>> context.setSecurityManager(this); *<-- Set the security manager >>> before the createSubject* >>> >>> if (existing != null) { >>> >>> context.setSubject(existing); >>> >>> } >>> >>> return createSubject(context); >>> >>> } >>> >>> >>> Cheers, >>> >>> >>> Stuart >>> >>> >>> On Fri, Sep 6, 2013 at 10:34 AM, Stuart Broad <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> >>>> I have run into a possible issue with regards to using the Subject >>>> login(use,pwd) api when the SecurityUtils SecurityManager has not been set >>>> (SecurityUtils.setSecurityManager(secMgr). I have proposed a possible >>>> change but I would appreciate your advice. >>>> >>>> >>>> The following code: >>>> >>>> >>>> Subject currentUser = >>>> newSubject.Builder(securityManager).buildSubject(); >>>> >>>> UsernamePasswordToken token = newUsernamePasswordToken(userName, >>>> password); >>>> >>>> currentUser.login(token); >>>> >>>> >>>> Results in an exception (this exception is not the end of the world as >>>> later in the code the current default security manager will get set so all >>>> should be ok): >>>> >>>> >>>> 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No >>>> SecurityManager available via SecurityUtils. Heuristics exhausted. >>>> >>>> org.apache.shiro.UnavailableSecurityManagerException: No >>>> SecurityManager accessible to the calling code, either bound to the >>>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is >>>> an invalid application configuration. >>>> >>>> at >>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) >>>> ~[shiro-core-1.2.1.jar:1.2.1] >>>> >>>> at >>>> org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) >>>> ~[shiro-core-1.2.1.jar:1.2.1] >>>> >>>> at >>>> org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) >>>> [shiro-core-1.2.1.jar:1.2.1] >>>> >>>> at >>>> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) >>>> [shiro-core-1.2.1.jar:1.2.1] >>>> >>>> at >>>> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) >>>> [shiro-core-1.2.1.jar:1.2.1] >>>> >>>> at >>>> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) >>>> [shiro-core-1.2.1.jar:1.2.1] >>>> >>>> at >>>> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) >>>> [shiro-core-1.2.1.jar:1.2.1] >>>> >>>> >>>> I think the issue rises from line 1 of the following code in >>>> DefaultSecurityManager: >>>> >>>> >>>> protected Subject createSubject(AuthenticationToken token, >>>> AuthenticationInfo info, Subject existing) { >>>> >>>> SubjectContext context = createSubjectContext(); *<-- Results >>>> in a context with no security manager* >>>> >>>> context.setAuthenticated(true); >>>> >>>> context.setAuthenticationToken(token); >>>> >>>> context.setAuthenticationInfo(info); >>>> >>>> if (existing != null) { >>>> >>>> context.setSubject(existing); >>>> >>>> } >>>> >>>> return createSubject(context); *<-- This complains about no >>>> security manager* >>>> >>>> } >>>> >>>> >>>> Could the DefaultSecurityManager code instead be as follows? >>>> >>>> >>>> protected Subject createSubject(AuthenticationToken token, >>>> AuthenticationInfo info, Subject existing) { >>>> >>>> SubjectContext context = createSubjectContext(); >>>> >>>> context.setAuthenticated(true); >>>> >>>> context.setAuthenticationToken(token); >>>> >>>> context.setAuthenticationInfo(info); >>>> >>>> if (existing != null) { >>>> >>>> context.setSubject(existing); >>>> >>>> context.setSecurityManager(this); *<-- Set the security >>>> manager before the createSubject* >>>> >>>> } >>>> >>>> return createSubject(context); >>>> >>>> } >>>> >>>> >>>> I could mask this debug message/exception but before I do that it would >>>> be good to know (based on your experience) if not setting the VM static >>>> security manager will result in any other issues. >>>> >>>> >>>> I basically create a Subject in one of two ways: >>>> >>>> >>>> (1) For Login -> new Subject.Builder(securityManager).buildSubject(); … >>>> subject.login(..) >>>> >>>> (2) For existing session -> new >>>> Subject.Builder(mSecurityManager).sessionId(sessionId).buildSubject(); ... >>>> >>>> >>>> Cheers, >>>> >>>> >>>> Stuart >>>> >>> >>> >> >
