Here's the code which I had to re-work to make it work for
me.apache-camel-2.10.4ShiroSecurityPolicy.authenticateUser
*It was:* private void authenticateUser(Subject currentUser,
ShiroSecurityToken securityToken) { if
(!currentUser.isAuthenticated())
{ ... currentUser.login(token);
... }*New:* private void
authenticateUser(Subject currentUser, ShiroSecurityToken securityToken) {
if (!currentUser.isAuthenticated() ||
(currentUser.isAuthenticated() &&
!((String)currentUser.getPrincipal()).equals(securityToken.getUsername())))
{ ... currentUser.login(token);
... }
I have Java remoting built on activemq and camel using camel bean
invocation.There's a route from direct component to jms on client side which
injects the shiro security token (nothing special there)And on the other
side I have a route from jms to bean which has policy(shiroSecurityPolicy)
check using a custom realm.And I noticed that new user is not detected when
user changes on the client side and it was kind of security risk as it was
allowing invalid user to pass through.Now I have limited experience with
apache shiro, so thought of checking if this is the correct fix????
--
View this message in context:
http://camel.465427.n5.nabble.com/camel-shiro-security-policy-with-alwaysReauthenticate-set-to-false-doesn-t-detect-seperate-user-loggn-tp5732043.html
Sent from the Camel - Users mailing list archive at Nabble.com.
