Hi,
i'm using Shiro 1.2.4 in my webapp and i need to check permissions against a
subject (using isPermitted) that does not match the current one available
through the SecurityUtils.getSubject() method.
I defined the following method:
public static Subject buildSubject(String userId) {
Principal principal = new Principal(userId);
PrincipalCollection principals = new
SimplePrincipalCollection(principal, "MyRealmName");
return new Subject.Builder().principals(principals).buildSubject();
}
This method is able to return a Subject on-the-fly related to an arbirtary
userId (e.g. "name@domain").
The method works but after digging into server logs i noticed that the
builder creates a new Session each time i call that method.
Why? I do not need a new session, i only want to check a permission.
I tried to change my code in this way:
return new
Subject.Builder().sessionCreationEnabled(false).principals(principals).buildSubject();
but i always get a DisabledSessionException with the following message:
"Session creation has been disabled for the current subject. This exception
indicates that there is either a programming error (using a session when it
should never be used) or that Shiro's configuration needs to be adjusted to
allow Sessions to be created for the current Subject. See the
org.apache.shiro.subject.support.DisabledSessionException JavaDoc for more."
Do you have any suggestions to achieve my needs?
Thank you,
Matteo
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Create-a-Subject-without-session-for-permission-check-only-tp7581034.html
Sent from the Shiro User mailing list archive at Nabble.com.
