A-HAAAAA!
I think I've gotten to the bottom of this. I have a sample test project
available here:
https://github.com/jbowkett/Apache-Shiro-probs
https://github.com/jbowkett/Apache-Shiro-probs
The crux of the problem is that I was using Stripes for my page layout etc.
within one of those layouts, was the shiro:hasRole (to present a link to our
admin area). One of my pages was a generic 404 error page, which also used
the same page layout. I configured this error page with the following in my
web.xml:
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/core/not_found.jsp</location>
</error-page>
It would appear when running with Tomcat 6, this error page was re-compiled
on each separate page impression, however, I guess it had not gone through
the Shiro filter so it did not have the SecurityManager instance in its
ThreadLocal, hence the exception trace.
This was wrapped in several re-used layout jsps, so it was a bit of a rats'
nest to untangle (not least because it looked like the layout jsp for the
requested page was causing the exception trace, not a parallel compile of
the 404 page), but hopefully the code example I've put in github should show
the problem in its most obvious form. (You can turn the error on or off, by
commenting out the error page snippet above in the web.xml)
Interestingly, this is not a problem when running my webapp under jetty :
Perhaps Tomcat pre-compiles the 404 page (but on every page impression?) and
jetty does not?
Maybe this is a documentation bug?
Let me know if you need any more info or if I can help any further on this?
(if it's going to go anywhere?)
Best,
-James
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7184705.html
Sent from the Shiro User mailing list archive at Nabble.com.
