shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Subject being changed!
Date Wed, 14 Mar 2012 02:25:50 GMT
It is not a bug - someone (or something) is attempting to create a Session when:

1.  The SessionManager in use at runtime is a
ServletContainerSessionManager instance.  This is the default
SessionManager implementation for a Shiro-enabled web application, and
it delegates to the Servlet container (e.g. Jetty/Tomcat) to do the
'real' session management.


2.  The Subject instance on which subject.getSession() is being called
is not aware of an HTTP request/response pair.  (In a web app, the
Shiro Filter creates WebSubject instances automatically, which are
aware of their 'source' request/response pair).

So in your situation, subject.getSession() is being called, and the
Subject implementation (under the hood) says,

'Hey, SessionManager, create me a new Session please!'

The ServletContainerSessionManager replies (with the exception):

"I'm a web-only SessionManager, and I need a ServletRequest to do that
for you.  Because you're not providing me with a request/response
pair, I can't help you!'.

The easiest solution for this is to use the WebSubject.Builder when
your underlying SessionManager is web-only, and it should work fine.
(Shiro 'native' SessionManagers can function both with and without web
requests, but the ServletContainer-based ones cannot - they are web


Les Hazlewood
CTO, Stormpath | | 888.391.5282
twitter: @lhazlewood |
stormpath blog:

On Tue, Mar 13, 2012 at 6:08 PM, Jared Bunting
<> wrote:
> Do you have a stack trace for this error?  It seems like a bug to me.
> On Tue 13 Mar 2012 05:49:21 PM CDT, dan wrote:
>> Hi --
>> I am upgrading to Shiro 1.2 and have the following problem.  In the code, I
>> determine the role of an arbitrary user by calling this method and then
>> doing a hasRole(...):
>>       public Subject getSubjectByLogin(final String login) {
>>               PrincipalCollection principals = new SimplePrincipalCollection(login,
>>               return new Subject.Builder().principals(principals).buildSubject();
>>       }
>> It worked fine with Shiro 1.1.  With Shiro 1.2, searching through the forum,
>> I saw a similar issue and changed the method to use WebSubject:
>>       public Subject getSubjectByLogin(final String login) {
>>               PrincipalCollection principals = new SimplePrincipalCollection(login,
>>               final FacesContext faces = FacesContext.getCurrentInstance();
>>               HttpServletResponse resp =
>> (HttpServletResponse)faces.getExternalContext().getResponse();
>>               HttpServletRequest reqs =
>> (HttpServletRequest)faces.getExternalContext().getRequest();
>>               WebSubject.Builder b = new WebSubject.Builder(reqs, resp);
>>               return b.principals(principals).buildSubject();
>>       }
>> This worked better but it has the side effect of changing the Subject object
>> of the logged in user to the one was  being checked.  The effect is that any
>> subsequent click takes me to a accessDenied page because the changed subject
>> has lesser privledges.
>> So... can you comment on how to retrieve the role of an arbitrary user?
>> Thanks,
>> Dan
>> PS.  I am still wanting to implement Guice support but had to back off on
>> that until this upgrade issue was resolved! ;|
>> --
>> View this message in context:
>> Sent from the Shiro User mailing list archive at

View raw message