Return-Path: 
 <dev-return-5930-apmail-shiro-dev-archive=shiro.apache.org@shiro.apache.org>
X-Original-To: apmail-shiro-dev-archive@www.apache.org
Delivered-To: apmail-shiro-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B7AC210341
	for <apmail-shiro-dev-archive@www.apache.org>;
 Mon, 16 Sep 2013 08:40:13 +0000 (UTC)
Received: (qmail 74351 invoked by uid 500); 16 Sep 2013 08:40:10 -0000
Delivered-To: apmail-shiro-dev-archive@shiro.apache.org
Received: (qmail 73988 invoked by uid 500); 16 Sep 2013 08:39:59 -0000
Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@shiro.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@shiro.apache.org>
List-Post: <mailto:dev@shiro.apache.org>
List-Id: <dev.shiro.apache.org>
Reply-To: dev@shiro.apache.org
Delivered-To: mailing list dev@shiro.apache.org
Received: (qmail 73904 invoked by uid 99); 16 Sep 2013 08:39:53 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Sep 2013 08:39:53 +0000
Date: Mon, 16 Sep 2013 08:39:53 +0000 (UTC)
From: "Stuart Broad (JIRA)" <jira@apache.org>
To: dev@shiro.apache.org
Message-ID: <JIRA.12668739.1379320708602.138940.1379320793548@arcas>
In-Reply-To: <JIRA.12668739.1379320708602@arcas>
References: <JIRA.12668739.1379320708602@arcas>
Subject: [jira] [Updated] (SHIRO-457) Login without static VM security
 manager cause exception in debug
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/SHIRO-457?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Broad updated SHIRO-457:
-------------------------------

    Description: 
I have run into a possible issue with regards to using the Subject login(use,pwd) api when the SecurityUtils SecurityManager has not been set (SecurityUtils.setSecurityManager(secMgr).

        Subject currentUser = new Subject.Builder(securityManager).buildSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
        currentUser.login(token);

The code above results in an exception (this exception is not the end of the world as later in the code the current default security manager will get set so all should be ok):

15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available via SecurityUtils.  Heuristics exhausted.
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
 	at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) ~[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) [shiro-core-1.2.1.jar:1.2.1]

I think the issue rises from line 1 of the following code in DefaultSecurityManager:

    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
        SubjectContext context = createSubjectContext();  <-- Results in a context with no security manager
        context.setAuthenticated(true);
        context.setAuthenticationToken(token);
        context.setAuthenticationInfo(info);
        if (existing != null) {
            context.setSubject(existing);
        }
        return createSubject(context); <-- This complains about no security manager
    }

Could the DefaultSecurityManager code instead be as follows?

    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
        SubjectContext context = createSubjectContext();
        context.setAuthenticated(true);
        context.setAuthenticationToken(token);
        context.setAuthenticationInfo(info);
        context.setSecurityManager(this); <-- Set the security manager before the createSubject
        if (existing != null) {
            context.setSubject(existing);
        }
        return createSubject(context);
    }

This exception can be masked but I think it would be better not to raise it in this scenario.


  was:
I have run into a possible issue with regards to using the Subject login(use,pwd) api when the SecurityUtils SecurityManager has not been set (SecurityUtils.setSecurityManager(secMgr).

{noformat}
        Subject currentUser = new Subject.Builder(securityManager).buildSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
        currentUser.login(token);
{noformat}

The code above results in an exception (this exception is not the end of the world as later in the code the current default security manager will get set so all should be ok):

{noformat}
15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available via SecurityUtils.  Heuristics exhausted.
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
 	at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) ~[shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) [shiro-core-1.2.1.jar:1.2.1]
 	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) [shiro-core-1.2.1.jar:1.2.1]
{noformat}

I think the issue rises from line 1 of the following code in DefaultSecurityManager:

{noformat}
    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
        SubjectContext context = createSubjectContext();  <-- Results in a context with no security manager
        context.setAuthenticated(true);
        context.setAuthenticationToken(token);
        context.setAuthenticationInfo(info);
        if (existing != null) {
            context.setSubject(existing);
        }
        return createSubject(context); <-- This complains about no security manager
    }
{noformat}

Could the DefaultSecurityManager code instead be as follows?

{noformat}
    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
        SubjectContext context = createSubjectContext();
        context.setAuthenticated(true);
        context.setAuthenticationToken(token);
        context.setAuthenticationInfo(info);
        context.setSecurityManager(this); <-- Set the security manager before the createSubject
        if (existing != null) {
            context.setSubject(existing);
        }
        return createSubject(context);
    }
{noformat}

This exception can be masked but I think it would be better not to raise it in this scenario.


    
> Login without static VM security manager cause exception in debug
> -----------------------------------------------------------------
>
>                 Key: SHIRO-457
>                 URL: https://issues.apache.org/jira/browse/SHIRO-457
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in)
>    Affects Versions: 1.2.2
>         Environment: Mac OS X 10.8.3, Java 1.6.0_51
>            Reporter: Stuart Broad
>            Priority: Minor
>
> I have run into a possible issue with regards to using the Subject login(use,pwd) api when the SecurityUtils SecurityManager has not been set (SecurityUtils.setSecurityManager(secMgr).
>         Subject currentUser = new Subject.Builder(securityManager).buildSubject();
>         UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
>         currentUser.login(token);
> The code above results in an exception (this exception is not the end of the world as later in the code the current default security manager will get set so all should be ok):
> 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available via SecurityUtils.  Heuristics exhausted.
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an invalid application configuration.
>  	at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[shiro-core-1.2.1.jar:1.2.1]
>  	at org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) ~[shiro-core-1.2.1.jar:1.2.1]
>  	at org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) [shiro-core-1.2.1.jar:1.2.1]
>  	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) [shiro-core-1.2.1.jar:1.2.1]
>  	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) [shiro-core-1.2.1.jar:1.2.1]
>  	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) [shiro-core-1.2.1.jar:1.2.1]
>  	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) [shiro-core-1.2.1.jar:1.2.1]
> I think the issue rises from line 1 of the following code in DefaultSecurityManager:
>     protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
>         SubjectContext context = createSubjectContext();  <-- Results in a context with no security manager
>         context.setAuthenticated(true);
>         context.setAuthenticationToken(token);
>         context.setAuthenticationInfo(info);
>         if (existing != null) {
>             context.setSubject(existing);
>         }
>         return createSubject(context); <-- This complains about no security manager
>     }
> Could the DefaultSecurityManager code instead be as follows?
>     protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
>         SubjectContext context = createSubjectContext();
>         context.setAuthenticated(true);
>         context.setAuthenticationToken(token);
>         context.setAuthenticationInfo(info);
>         context.setSecurityManager(this); <-- Set the security manager before the createSubject
>         if (existing != null) {
>             context.setSubject(existing);
>         }
>         return createSubject(context);
>     }
> This exception can be masked but I think it would be better not to raise it in this scenario.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira