[
https://issues.apache.org/jira/browse/SHIRO-457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771680#comment-13771680
]
Stuart Broad commented on SHIRO-457:
------------------------------------
In the context of logging in without a static VM security manager I don't think
it makes sense to have this exception:
a) It will happen every time someone logs in
b) It looks 'scary' - Looking at the debug you will think there is something
wrong (Yes you can still mask it, but you would still have the overhead of
creating and throwing the exception within the code).
c) Why not add the one line to set the security manager? It would remove the
exception and would be a more efficient way of setting it in this context.
If people MUST set a static VM security manager then this exception would make
sense but my understanding is that not using a static VM security manager is
the way to go.
> Login without static VM security manager cause exception in debug
> -----------------------------------------------------------------
>
> Key: SHIRO-457
> URL: https://issues.apache.org/jira/browse/SHIRO-457
> Project: Shiro
> Issue Type: Bug
> Components: Authentication (log-in)
> Affects Versions: 1.2.2
> Environment: Mac OS X 10.8.3, Java 1.6.0_51
> Reporter: Stuart Broad
> Priority: Minor
>
> I have run into a possible issue with regards to using the Subject
> login(use,pwd) api when the SecurityUtils SecurityManager has not been set
> (SecurityUtils.setSecurityManager(secMgr).
> Subject currentUser = new
> Subject.Builder(securityManager).buildSubject();
> UsernamePasswordToken token = new UsernamePasswordToken(userName,
> password);
> currentUser.login(token);
> The code above results in an exception (this exception is not the end of the
> world as later in the code the current default security manager will get set
> so all should be ok):
> 15:31:01.325 [main] DEBUG o.a.s.s.s.DefaultSubjectContext - No
> SecurityManager available via SecurityUtils. Heuristics exhausted.
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an
> invalid application configuration.
> at
> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
> ~[shiro-core-1.2.1.jar:1.2.1]
> at
> org.apache.shiro.subject.support.DefaultSubjectContext.resolveSecurityManager(DefaultSubjectContext.java:106)
> ~[shiro-core-1.2.1.jar:1.2.1]
> at
> org.apache.shiro.mgt.DefaultSecurityManager.ensureSecurityManager(DefaultSecurityManager.java:411)
> [shiro-core-1.2.1.jar:1.2.1]
> at
> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:333)
> [shiro-core-1.2.1.jar:1.2.1]
> at
> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183)
> [shiro-core-1.2.1.jar:1.2.1]
> at
> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283)
> [shiro-core-1.2.1.jar:1.2.1]
> at
> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
> [shiro-core-1.2.1.jar:1.2.1]
> I think the issue rises from line 1 of the following code in
> DefaultSecurityManager:
> protected Subject createSubject(AuthenticationToken token,
> AuthenticationInfo info, Subject existing) {
> SubjectContext context = createSubjectContext(); <-- Results in a
> context with no security manager
> context.setAuthenticated(true);
> context.setAuthenticationToken(token);
> context.setAuthenticationInfo(info);
> if (existing != null) {
> context.setSubject(existing);
> }
> return createSubject(context); <-- This complains about no security
> manager
> }
> Could the DefaultSecurityManager code instead be as follows?
> protected Subject createSubject(AuthenticationToken token,
> AuthenticationInfo info, Subject existing) {
> SubjectContext context = createSubjectContext();
> context.setAuthenticated(true);
> context.setAuthenticationToken(token);
> context.setAuthenticationInfo(info);
> context.setSecurityManager(this); <-- Set the security manager before
> the createSubject
> if (existing != null) {
> context.setSubject(existing);
> }
> return createSubject(context);
> }
> This exception can be masked but I think it would be better not to raise it
> in this scenario.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
