shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Nielsen <mny...@gmail.com>
Subject Authenticating a Subject without a session with a WebSecurityManager
Date Thu, 05 Apr 2018 07:23:07 GMT
Hi all

I have an application which uses a WebSecurityManager in conjunction with
Apache Wicket. That works all well and good, but now I have encountered a
single issue where i need to authenticate a user through a different
entrance, which does not have any notion of http sessions. When i try to
login a Subject without a session like this:

Subject shiroSubject = null;
Subject.Builder subjectBuilder = new
Subject.Builder(manager).sessionCreationEnabled(false);
shiroSubject = subjectBuilder.buildSubject();
...
shiroSubject.login(new UsernamePasswordToken(user, password));

I tried every permutation of sessionCreationEnabled


I get the following exception:


javax.security.auth.login.LoginException:
java.lang.IllegalArgumentException: SessionContext must be an HTTP
compatible implementation.
at
org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:103)
at
org.apache.shiro.web.session.mgt.ServletContainerSessionManager.start(ServletContainerSessionManager.java:64)
at
org.apache.shiro.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:152)
at
org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:336)
at
org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:312)
at
org.apache.shiro.mgt.DefaultSubjectDAO.mergePrincipals(DefaultSubjectDAO.java:204)
at
org.apache.shiro.mgt.DefaultSubjectDAO.saveToSession(DefaultSubjectDAO.java:166)
at org.apache.shiro.mgt.DefaultSubjectDAO.save(DefaultSubjectDAO.java:147)
at
org.apache.shiro.mgt.DefaultSecurityManager.save(DefaultSecurityManager.java:383)
at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:350)
at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283)
at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)

I then looked at WebSubject.Builder i can't create a builder without a
Request and Response.


So the question is: When you are using a WebSecurityManager, how do you
authenticate a Subject in a case where there is no Request/Response
available?

The only way that I can see is to highjack the WebSecurityManager's
Authenticator and Authorizer and call their methods directly, completely
ignoring the Subject, but that feels so wrong that I am guessing that i am
way off :)

Mime
View raw message