shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-435) SecurityManager is not a singleton in ShiroWebModule
Date Wed, 29 Jun 2016 22:08:13 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15355885#comment-15355885
] 

ASF GitHub Bot commented on SHIRO-435:
--------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/shiro/pull/16


> SecurityManager is not a singleton in ShiroWebModule
> ----------------------------------------------------
>
>                 Key: SHIRO-435
>                 URL: https://issues.apache.org/jira/browse/SHIRO-435
>             Project: Shiro
>          Issue Type: Bug
>          Components: Integration: Guice
>    Affects Versions: 1.2.1
>            Reporter: Laszlo Ferenczi
>            Assignee: Jared Bunting
>              Labels: patch, patch-with-test
>         Attachments: SHIRO-435.path
>
>
> While integrating Shiro to our guice based webapp I've noticed
> something strange. The module setup is pretty much the same as the
> example in the Guice page of Shiro's documentation. Only extra code is
> that I'm exposing the WebSecurityManager like this:
> public class AuthModule extends ShiroWebModule {
>   public AuthModule(ServletContext servletContext) {
>     super(servletContext);
>   }
>   @Override
>   @SuppressWarnings("unchecked")
>   protected void configureShiroWeb() {
>     IniRealm iniRealm = new IniRealm(Ini.fromResourcePath("classpath:shiro.ini"));
>     bindRealm().toInstance(iniRealm);
>     expose(WebSecurityManager.class);
>   }
> }
> A guice injected SecurityManager instance is not the same as the
> cached static SecurityManager in SecurityUtils.
> @Path("/Ping")
> @Singleton
> public class PingResource {
>   @Inject
>   SecurityManager sec;
>   @Inject
>   WebSecurityManager websec;
>   @GET
>   public void ping() {
>     SecurityManager man = SecurityUtils.getSecurityManager();
>     assert(man == websec);
>     assert(man == sec);
>   }
> }
> First assert passes, second fails. Debugger confirms that there are 2
> instances in memory, both of them are of type
> DefaultWebSecurityManager but only the WebSecurityManager instance
> works. Any meaningful operation on "sec" will fail (like an
> authorization check).
> I think the problem might be the double binding of SecurityManager(s).
> One is bound in ShiroModule another is in ShiroWebModule:
> in ShiroModule:
> public void configure() {
>   // setup security manager
>   bindSecurityManager(bind(SecurityManager.class));
> in ShiroWebModule:
> protected final void configureShiro() {
>   ....
>   bindWebSecurityManager(bind(WebSecurityManager.class));
> Both of these methods are running at init time, hence the duplicated singletons.
> It might be better if ShiroWebModule would overrinde the standard
> configure() method to avoid this double-binding.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message