Hi,
I think this a configuration issue.
Only one security manager should be created in your application. In a
standalone app, it would be in the main method. In a web application, it would
be in a ServletContextListener.
Then you can access the subject in your application using
SecurityUtils.getSubject().
So to login a user, you may do something like :
Subject currentUser = SecurityUtils.getSubject();
if(!currentUser.isAuthenticated()){
UsernamePasswordToken token = new
UsernamePasswordToken(user.getUserName(), "");
try{
currentUser.login(token);
} catch (AuthenticationException ex){
Log.exception(ex);
}
}
To allow an admin to run the application as another user, simply do this :
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = new
SimplePrincipalCollection(specificUserPrincipal, realmName);
subject.runAs(principals);
Christian
-----Message d'origine-----
De : ApacheNinja [mailto:[email protected]]
Envoyé : May-15-13 10:15 AM
À : [email protected]
Objet : RE: Too many threads created when calling isPermitted()
Hello,
Yes, we are using the latest release of Shiro. We are primarily using
Shiro to check user permissions. We are not using it to log in to our
application. We are creating our Subject using the following method:
protected void setAuthorizerSubject(UsersDVO user){
DefaultSecurityManager securityManager = new DefaultSecurityManager();
securityManager.setRealm(realm);
securityManager.setAuthenticator(new MockAuthenticator());
SecurityUtils.setSecurityManager(securityManager );
Subject currentUser = new DelegatingSubject(securityManager);
if(!currentUser.isAuthenticated()){
UsernamePasswordToken token = new
UsernamePasswordToken(user.getUserName(), "");
try{
currentUser.login(token);
} catch (AuthenticationException ex){
Log.exception(ex);
}
}
this.subject = currentUser;
}
This is created once when the user logs in. In our application it is possible
to log in as a general administrator first, then log in again as a more
specific user. So this may be called twice. We then use the Subject object to
call the isPermitted() object, which checks to see if the user has access to
different portions of our application. In our Realm object we have set
setAuthorizationCachingEnabled(false) (I don't think this makes a difference
but I thought I would include this information anyway). Looking at the stack
trace when calling isPermitted(), I see that it goes through the Shiro API and
then it then calls our implementation
doGetAuthorizationInfo() :
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principalCollection) {
SimpleAuthorizationInfo info = null;
if( user != null ) {
info = new SimpleAuthorizationInfo();
List<Role> roles =
roleManager.getRolesForUser(user.getUserID());
List<EPermission> permissions =
permissionManager.getPermissionsForUser(user.getUserID());
for(Role role : roles) {
info.addRole(role.getName());
}
for(EPermission permission : permissions){
info.addStringPermission(permission.getName());
}
}
return info;
}
Somewhere in there a new thread is being generated but I don't know where.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Too-many-threads-created-when-calling-isPermitted-tp7578725p7578734.html
Sent from the Shiro User mailing list archive at Nabble.com.
