We are using CDI in our application along with Shiro, injecting the Shiro
Subject into the application security layer where needed. This Shiro change
that was committed over the weekend and is in the latest SNAPSHOT artefact has
broken the security layer in our application:
SHIRO-323: removed Serializable from the implements clause (DelegatingSubjects
are not really intended to be used across vm boundaries)
This breaks our injection of the Shiro Subject due to WELD constraints:
Caused by: org.jboss.weld.exceptions.IllegalProductException: WELD-000054
Producers cannot produce non-serializable instances for injection into
non-transient fields of passivating beans\\n\\nProducer\: Producer Method
[Subject] with qualifiers [@Any @Default] declared as [[method] @Produces
public uk.co.acme.SecurityManager.getSubject()]\\nInjection Point\: [field]
@Inject private uk.co.acme.security.Identity.subject
The SecurityManager class provides a Producer method to enable Shiro Subject
injection:
@Produces
public Subject getSubject() {
return SecurityUtils.getSubject();
}
But I see SHIRO-323 change removed Serialisable from DelegatingSubject class.
I have two questions - firstly, is this an unintended consequence of the
SHIRO-323 change or is there a problem with the way I am injecting the Shiro
Subject? If unintended consequence, is this a change that could be rolled back?
Secondly - I'd really like to swap from using SNAPSHOT versions to a stable
Shiro 1.2 release. We are using latest SNAPSHOT version due to problems with
Shiro 1.1.0 that were fixed in later versions. Could anyone provide an update
on a 1.2 release date?
Thanks,
Martin
