cc ing shiro-user On Sun, Jun 21, 2009 at 11:13 AM, Manoj Khangaonkar <[email protected]>wrote:
> Hi, > > Newbie to this mailing list. Was scanning through the JIRA issues list. > > The runAs support discussion caught my attention and if the discussion in > the following threads is not closed, I would like > to add a few cents. > > http://markmail.org/message/hnex52p2puw2pip5 > > http://markmail.org/message/nc7mqs5uxainqg7c > > Some of the proposed methods in the above threads are > > subject.assumeIdentity( Object principal ); > subject.runAs( Object principal ); > subject.switchUser( Object principal ); > > Doing a runAs and switching identity based on only the principal is in my > view a security hole. > Any developer could introduce a malignant line code with a call to runAs > using the prinicipal of another > user and hijack the other users privilege. The runAs method should have an > authenticated Subject as a parameter. > > The method could be > > subject.runAs(Subject runAsSubject) ; > > What runAs should do is execute a piece of code under the assume identity. > And when the execution of the code > completes, revert back to the original identity without the programmer > having to make additional method calls. > > What piece of code are we talking about ? This needs to be specified as an > additional parameter. We need an > interface to specify the code to execute. Let me craft something really > simple for discussion purposes. > > interface Work { > public void run() { > > // code to execute here > > } > > } > > and the runAs signature become: > > subject.runAs(Subject runasSubject, Work codetoexcute) > > This eliminates the need for some of the other methods discussed in the > threads above such as relinquishAssumedIdentity, > getAssumedIdentity etc. > > One additional advantage of this approach is the you can do multiple runAs > calls without getting complicated. > For example, Authenticated user joe does a runAs Mike. Mike does runAs > Judy. Judy does runAs Hal. This is possible > with 3 nested runAs calls and when each call ends, the identity is reset > correctly to whatever it was prior to the call. > > This is similar to the approach taken by doAs* methods of > javax.security.auth.Subject. > > I am very new to Shiro. So if I overlooked anything obvious, please excuse > the ignorance. > > regards > > Manoj > > > >
