I believe that this will behave as you expect if you remove the line:
dsm.setAuthenticator(new ModularRealmAuthenticator());
The reason being that the security manager doesn't expect you to change
out the authenticator after adding realms. This is really just an
implementation detail of how the security manager is setup, but your
new authenticator has no realms. Try:
On Sun 09 Dec 2012 08:32:17 PM CST, ming hsieh wrote:
> Sorry about the previous message, I forgot to add what I wanted to ask.
> Here is what I wanted to ask:
> The second login attempt passes even though I specified
> AllSuccessfulStrategy, why?
> If I commented out the first few lines for the first login attempt the
> second login attempt fails :
> 2012-12-10 10:30:28,586 [main] INFO example.ShiroTest - My First
> Apache Shiro Application
> 2012-12-10 10:30:28,617 [main] INFO example.ShiroTest - 2 realm size
> 2012-12-10 10:30:28,617 [main] INFO example.ShiroTest -
> org.apache.shiro.authc.pam.ModularRealmAuthenticator@578088c0 realm
> authenticator
> 2012-12-10 10:30:28,617 [main] INFO example.ShiroTest -
> org.apache.shiro.authc.pam.AllSuccessfulStrategy@5afec107
> authentication strategy
> 2012-12-10 10:30:28,617 [main] DEBUG
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager - No
> sessionValidationScheduler set. Attempting to create default instance.
> 2012-12-10 10:30:28,617 [main] INFO
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager -
> Enabling session validation scheduler...
> 2012-12-10 10:30:28,617 [main] DEBUG
> org.apache.shiro.session.mgt.DefaultSessionManager - Creating new EIS
> record for new session instance
> [org.apache.shiro.session.mgt.SimpleSession,id=null]
> 2012-12-10 10:30:28,648 [main] INFO example.ShiroTest - Retrieved the
> correct value! [aValue]
> 2012-12-10 10:30:28,648 [main] ERROR example.ShiroTest -
> authenticationexception;Authentication failed for token submission
> [org.apache.shiro.authc.UsernamePasswordToken - admin,
> rememberMe=false]. Possible unexpected error? (Typical or expected
> login exceptions should extend from AuthenticationException).
> What does this mean?
>
> Thanks again
>
>
>
>
> On Mon, Dec 10, 2012 at 10:27 AM, ming hsieh <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi Shiro
>
> I have a written a small test program:
>
> public class ShiroTest {
> private static final transient Logger log =
> LoggerFactory.getLogger(ShiroTest.class);
>
> public static void main(String[] args) {
> log.info <http://log.info>("My First Apache Shiro
> Application");
> SecurityManager securityManager = null;
>
> securityManager = new DefaultSecurityManager(useTextRealm());
> SecurityUtils.setSecurityManager(securityManager);
> doLogin("admin", "admin");
>
> List<Realm> realms = new ArrayList<Realm>();
> realms.add(useTextRealm());
> realms.add(useTextRealm2());
> securityManager = new DefaultSecurityManager(realms);
> SecurityUtils.setSecurityManager(securityManager);
> RealmSecurityManager rsm = (RealmSecurityManager)
> SecurityUtils.getSecurityManager();
> log.info <http://log.info>("{} realm size",
> rsm.getRealms().size());
> DefaultSecurityManager dsm = (DefaultSecurityManager)
> SecurityUtils.getSecurityManager();
> dsm.setAuthenticator(new ModularRealmAuthenticator());
> ModularRealmAuthenticator mra =
> (ModularRealmAuthenticator) dsm.getAuthenticator();
> log.info <http://log.info>("{} realm authenticator",
> dsm.getAuthenticator());
> mra.setAuthenticationStrategy(new AllSuccessfulStrategy());
> log.info <http://log.info>("{} authentication strategy",
> mra.getAuthenticationStrategy());
> doLogin("admin", "admin");
>
> }
>
> private static SimpleAccountRealm useTextRealm() {
> SimpleAccountRealm simpleRealm = new SimpleAccountRealm();
> simpleRealm.addAccount("admin", "admin");
> return simpleRealm;
> }
>
> private static SimpleAccountRealm useTextRealm2() {
> SimpleAccountRealm simpleRealm = new SimpleAccountRealm();
> simpleRealm.addAccount("admin", "admin2");
> return simpleRealm;
> }
>
> private static void doLogin(String username, String password) {
>
> // get the currently executing user:
> Subject currentUser = SecurityUtils.getSubject();
>
> // Do some stuff with a Session (no need for a web or EJB
> container!!!)
> Session session = currentUser.getSession();
> session.setAttribute("someKey", "aValue");
> String value = (String) session.getAttribute("someKey");
> if (value.equals("aValue")) {
> log.info <http://log.info>("Retrieved the correct
> value! [" + value + "]");
> }
>
> // let's login the current user so we can check against
> roles and permissions:
> if (!currentUser.isAuthenticated()) {
> UsernamePasswordToken token = new
> UsernamePasswordToken(username, password);
> try {
> currentUser.login(token);
> } catch (UnknownAccountException uae) {
> log.info <http://log.info>("There is no user with
> username of " + token.getPrincipal());
> return;
> } catch (IncorrectCredentialsException ice) {
> log.info <http://log.info>("Password for account "
> + token.getPrincipal() + " was incorrect!");
> return;
> } catch (LockedAccountException lae) {
> log.info <http://log.info>("The account for
> username " + token.getPrincipal() + " is locked. " +
> "Please contact your administrator to
> unlock it.");
> return;
> } catch (AuthenticationException ae) {
> log.error("authenticationexception;"+ae.getMessage());
> return;
> }
> }
>
> log.info <http://log.info>("User [" +
> currentUser.getPrincipal() + "] logged in successfully.");
> log.info
> <http://log.info>("someattribute;"+session.getAttribute("someKey"));
> log.info <http://log.info>("is user
> authenticated;"+currentUser.isAuthenticated());
>
> //all done - log out!
> currentUser.logout();
>
> }
>
> }
>
>
> I am a newbie to Shiro so please help me to understand, thanks in
> advance.
>
>
