shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Elijah Korneckis (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SHIRO-380) runAs feature (still) doesn't work
Date Wed, 08 Aug 2012 15:56:20 GMT

     [ https://issues.apache.org/jira/browse/SHIRO-380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Elijah Korneckis updated SHIRO-380:
-----------------------------------

    Attachment: SHIRO-380-patch1.diff

Hi,

Here's what I've been able to piece together. I think the main difference between the test
scenario and a web app setup is that the Subject that is bound to the tread and saved in the
session is recreated between requests - in the filter chain (see AbstractShiroFilter, line
359).

During the creation process the DefaultSecurityManager.createSubject calls it's save method
(at line 350).
That, in turn, calls DefaultSubjectDAO.mergePrincipals (at line 163): save -> saveToSession
-> mergePrincipals.

Here's where things get interesting. Consider Jochen's scenario, right after runAs is executed:
 1. The session now contains the following attributes:
   * DefaultSubjectContext.PRINCIPALS_SESSION_KEY = user1
   * DelegatingSubject.RUN_AS_PRINCIPALS_SESSION_KEY = [user2];
 2. When the next request is fired, we enter the filter chain and get to mergePrincipals.


At this point 
 PrincipalCollection currentPrincipals = subject.getPrincipals(); (DefaultSubjectDAO, line
177) 
will return "user2" as it is the top item in the runAs stack.

After that  
 PrincipalCollection existingPrincipals = (PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
(line 187) 
will return "user1" as it is saved in the session.
 
And here the initial principal is overwritten (lines 196 to 198):
 
 // currentPrincipals == user2, existingPrincipals = user1
 if (!currentPrincipals.equals(existingPrincipals)) {
    session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);

 }

Whew, hope I got that right. I've attached a diff with changes that solved this issue for
me. The changes are rather minor - initial prinicpal is saved to session during login and
restored when the runAs stack is emptied.
 
P.S. All line numbers and the diff file are taken from 1.2.1 relase tag (https://svn.apache.org/repos/asf/shiro/tags/shiro-root-1.2.1)
                
> runAs feature (still) doesn't work
> ----------------------------------
>
>                 Key: SHIRO-380
>                 URL: https://issues.apache.org/jira/browse/SHIRO-380
>             Project: Shiro
>          Issue Type: Bug
>          Components: Realms 
>    Affects Versions: 1.2.1
>            Reporter: Jochen Munz
>            Assignee: Les Hazlewood
>              Labels: principal,, shiro,, subject
>         Attachments: SHIRO-380-patch1.diff, shiro_380_webapp.tgz
>
>
> Right after SecurityUtils.getSubject().runAs(new new SimplePrincipalCollection(){...})
> SecurityUtils.getSubject().getPrincipal() returns correct new Principal
> SecurityUtils.getSubject()..getPreviousPrincipals() returns correct original Principal
> but DefaultSubjectDAO merge principals in method
> protected void mergePrincipals(Subject subject) {
>   PrincipalCollection currentPrincipals = subject.getPrincipals();
>   ...
>   if (session == null) {
>   ...
>   } else {
>     PrincipalCollection existingPrincipals = (PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
>     if (CollectionUtils.isEmpty(currentPrincipals)) {
>       ...
>     } else {
>        if (!currentPrincipals.equals(existingPrincipals)) {
>             session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
>       }
>    }
> }
> and after that
> SecurityUtils.getSubject().getPrincipal() and SecurityUtils.getSubject().getPreviousPrincipals()
both returns new Principal - this is wrong behavior

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message