camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jethwani.bipin@gmail.com" <jethwani.bi...@gmail.com>
Subject camel shiro security policy with alwaysReauthenticate set to false doesn't detect seperate user logging-in
Date Sun, 05 May 2013 13:40:41 GMT
Here's the code which I had to re-work to make it work for
me.apache-camel-2.10.4ShiroSecurityPolicy.authenticateUser
*It was:*	private void authenticateUser(Subject currentUser,
ShiroSecurityToken securityToken) {    		if (!currentUser.isAuthenticated())
{			...			currentUser.login(token);			...		}*New:*	private void
authenticateUser(Subject currentUser, ShiroSecurityToken securityToken) {    	
if (!currentUser.isAuthenticated() || 			(currentUser.isAuthenticated() &&
!((String)currentUser.getPrincipal()).equals(securityToken.getUsername())))
{			...			currentUser.login(token);			...		}
I have Java remoting built on activemq and camel using camel bean
invocation.There's a route from direct component to jms on client side which
injects the shiro security token (nothing special there)And on the other
side I have a route from jms to bean which has policy(shiroSecurityPolicy)
check using a custom realm.And I noticed that new user is not detected when
user changes on the client side and it was kind of security risk as it was
allowing invalid user to pass through.Now I have limited experience with
apache shiro, so thought of checking if this is the correct fix????



--
View this message in context: http://camel.465427.n5.nabble.com/camel-shiro-security-policy-with-alwaysReauthenticate-set-to-false-doesn-t-detect-seperate-user-loggn-tp5732043.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message