shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stuart Broad (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-457) Login without static VM security manager cause exception in debug
Date Mon, 16 Sep 2013 08:39:52 GMT
Stuart Broad created SHIRO-457:
----------------------------------

             Summary: Login without static VM security manager cause exception in debug
                 Key: SHIRO-457
                 URL: https://issues.apache.org/jira/browse/SHIRO-457
             Project: Shiro
          Issue Type: Bug
          Components: Authentication (log-in)
    Affects Versions: 1.2.2
         Environment: Mac OS X 10.8.3, Java 1.6.0_51
            Reporter: Stuart Broad
            Priority: Minor


I have run into a possible issue with regards to using the Subject login(use,pwd) api when
the SecurityUtils SecurityManager has not been set (SecurityUtils.setSecurityManager(secMgr).

{noformat}
        Subject currentUser = new Subject.Builder(securityManager).buildSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
        currentUser.login(token);
{noformat}

The code above results in an exception (this exception is not the end of the world as later
in the code the current default security manager will get set so all should be ok):

{noformat}
15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available via
SecurityUtils.  Heuristics exhausted.
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the
calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.
 This is an invalid application configuration.
 	at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106)
~[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411)
[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333)
[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
[shiro-core-1.2.1.jar:1.2.1]
{noformat}

I think the issue rises from line 1 of the following code in DefaultSecurityManager:

{noformat}
    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject
existing) {
        SubjectContext context = createSubjectContext();  <-- Results in a context with
no security manager
        context.setAuthenticated(true);
        context.setAuthenticationToken(token);
        context.setAuthenticationInfo(info);
        if (existing != null) {
            context.setSubject(existing);
        }
        return createSubject(context); <-- This complains about no security manager
    }
{noformat}

Could the DefaultSecurityManager code instead be as follows?

{noformat}
    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject
existing) {
        SubjectContext context = createSubjectContext();
        context.setAuthenticated(true);
        context.setAuthenticationToken(token);
        context.setAuthenticationInfo(info);
        context.setSecurityManager(this); <-- Set the security manager before the createSubject
        if (existing != null) {
            context.setSubject(existing);
        }
        return createSubject(context);
    }
{noformat}

This exception can be masked but I think it would be better not to raise it in this scenario.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message