From dev-return-7677-archive-asf-public=cust-asf.ponee.io@shiro.apache.org Tue May 8 06:23:13 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 1EBE4180648 for ; Tue, 8 May 2018 06:23:12 +0200 (CEST) Received: (qmail 74805 invoked by uid 500); 8 May 2018 04:23:10 -0000 Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@shiro.apache.org Delivered-To: mailing list dev@shiro.apache.org Received: (qmail 74790 invoked by uid 99); 8 May 2018 04:23:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 May 2018 04:23:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5E283C0254 for ; Tue, 8 May 2018 04:23:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.511 X-Spam-Level: X-Spam-Status: No, score=-109.511 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id xTn8vaUmzFuo for ; Tue, 8 May 2018 04:23:07 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 0D76B5FAC6 for ; Tue, 8 May 2018 04:23:07 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id EFF16E12ED for ; Tue, 8 May 2018 04:23:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4AEC0212A0 for ; Tue, 8 May 2018 04:23:00 +0000 (UTC) Date: Tue, 8 May 2018 04:23:00 +0000 (UTC) From: "Mike M Pestorich (JIRA)" To: dev@shiro.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (SHIRO-457) Login without static VM security manager cause exception in debug MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SHIRO-457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466839#comment-16466839 ] Mike M Pestorich commented on SHIRO-457: ---------------------------------------- I added a pull request on github for this. Would really like to see it merged. Makes all the sense in the world to me. [GitHub Pull Request #83|https://github.com/apache/shiro/pull/83] > Login without static VM security manager cause exception in debug > ----------------------------------------------------------------- > > Key: SHIRO-457 > URL: https://issues.apache.org/jira/browse/SHIRO-457 > Project: Shiro > Issue Type: Bug > Components: Authentication (log-in) > Affects Versions: 1.2.2 > Environment: Mac OS X 10.8.3, Java 1.6.0_51 > Reporter: Stuart Broad > Priority: Minor > > I have run into a possible issue with regards to using the Subject login(use,pwd) api when the SecurityUtils SecurityManager has not been set (SecurityUtils.setSecurityManager(secMgr). > Subject currentUser = new Subject.Builder(securityManager).buildSubject(); > UsernamePasswordToken token = new UsernamePasswordToken(userName, password); > currentUser.login(token); > The code above results in an exception (this exception is not the end of the world as later in the code the current default security manager will get set so all should be ok): > 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No SecurityManager available via SecurityUtils. Heuristics exhausted. > org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration. > at org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123) ~[shiro-core-1.2.1.jar:1.2.1] > at org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106) ~[shiro-core-1.2.1.jar:1.2.1] > at org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411) [shiro-core-1.2.1.jar:1.2.1] > at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333) [shiro-core-1.2.1.jar:1.2.1] > at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) [shiro-core-1.2.1.jar:1.2.1] > at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) [shiro-core-1.2.1.jar:1.2.1] > at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) [shiro-core-1.2.1.jar:1.2.1] > I think the issue rises from line 1 of the following code in DefaultSecurityManager: > protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) { > SubjectContext context = createSubjectContext(); <-- Results in a context with no security manager > context.setAuthenticated(true); > context.setAuthenticationToken(token); > context.setAuthenticationInfo(info); > if (existing != null) { > context.setSubject(existing); > } > return createSubject(context); <-- This complains about no security manager > } > Could the DefaultSecurityManager code instead be as follows? > protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) { > SubjectContext context = createSubjectContext(); > context.setAuthenticated(true); > context.setAuthenticationToken(token); > context.setAuthenticationInfo(info); > context.setSecurityManager(this); <-- Set the security manager before the createSubject > if (existing != null) { > context.setSubject(existing); > } > return createSubject(context); > } > This exception can be masked but I think it would be better not to raise it in this scenario. -- This message was sent by Atlassian JIRA (v7.6.3#76005)