shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Elijah Korneckis <>
Subject (SHIRO-344) runAs/releaseRunAs not restoring to initial principal
Date Fri, 03 Aug 2012 12:14:09 GMT
Hi Shiro team!

First, let me thank you all for the hard work of maintaining this awesome

Second, I'm having trouble with runAs/releaseRunAs functionality even after
1.2.1 release. SHIRO-344 describes this issue perfectly, I'll just go into
my own little investigation.

The problem for me, in short, is that DefaultSubjectDAO.mergePrincipals
overwrite the DefaultSubjectContext.PRINCIPALS_SESSION_KEY with the top
principal from the runAsPrincipalsStack. After that the original principal
(the one supplied at login) is lost and subsequent calls to
SecurityUtils.getSubject() returns the last runAsPrincipal based subject.

I've made this to work as expected by saving the initial principal in the
session with a separate session key (during DelegatingSubject.login()) and
restoring it into DefaultSubjectContext.PRINCIPALS_SESSION_KEY when
releaseRunAs is called and the runAsPrincipalsStack is empty. If needed,
I'll submit a diff patch.

I'm still not totally convinced that this is a bug and not a config issue on
my part, so any thoughts from you will be appreciated.

Short description of my setup:
Web app that uses the JEE6 stack and is deployed to Glassfish 3.1.2. Nothing
out of the ordinary was done to integrate Shiro:
 * EnvironmentLoaderListener was extended to make use of CDI for realm
 * AuthorizingRealm was extended to use JPA for subject data retrieval
 * Standard Shiro provided filters are used: Roles and PassThrough

Hope this all makes sense and thank you for your time.

Best regards,
  Elijah Korneckis

View this message in context:
Sent from the Shiro Developer mailing list archive at

View raw message