shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Shiro web apps - static SecurityManager by default?
Date Thu, 05 May 2011 22:01:49 GMT
I just resolved SHIRO-287[1] which enables the SecurityManager set up
by the ShiroFilter to be statically accessible to the web app.  This
ensures that SecurityUtils.getSubject()/getSecurityManager() will very
easily work even on non-request threads.

However, I left this disabled by default to retain the existing
behavior (no static memory).

Jared raised the idea that this could probably be enabled by default
because the only time there would be static memory conflict is if
there is more than one Shiro web app in the same servlet container and
both of those webapps use a shared classloader - probably something
that occurs quite rarely, if at all, these days.

That is, if static memory conflict lies in the 20% use case (probably
more like 5% or 1%), then in keeping with Shiro's 'it just works'
objective, it'd be easier for the other 80%/95% of people if it was
enabled by default.

It is still disabled by default, but I was wondering if anyone wanted
to chime in here.  Thoughts?

[1] https://issues.apache.org/jira/browse/SHIRO-287

Cheers,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

Mime
View raw message