Hi Yeah well spotted.
Not sure if you need to logout the old users when you detect a new user? Anyway fell free to log a JIRA ticket and attach a patch with the fix. http://camel.apache.org/support On Sun, May 5, 2013 at 3:40 PM, jethwani.bi...@gmail.com <jethwani.bi...@gmail.com> wrote: > Here's the code which I had to re-work to make it work for > me.apache-camel-2.10.4ShiroSecurityPolicy.authenticateUser > *It was:* private void authenticateUser(Subject currentUser, > ShiroSecurityToken securityToken) { if > (!currentUser.isAuthenticated()) > { ... currentUser.login(token); > ... }*New:* private void > authenticateUser(Subject currentUser, ShiroSecurityToken securityToken) { > if (!currentUser.isAuthenticated() || > (currentUser.isAuthenticated() && > !((String)currentUser.getPrincipal()).equals(securityToken.getUsername()))) > { ... currentUser.login(token); > ... } > I have Java remoting built on activemq and camel using camel bean > invocation.There's a route from direct component to jms on client side which > injects the shiro security token (nothing special there)And on the other > side I have a route from jms to bean which has policy(shiroSecurityPolicy) > check using a custom realm.And I noticed that new user is not detected when > user changes on the client side and it was kind of security risk as it was > allowing invalid user to pass through.Now I have limited experience with > apache shiro, so thought of checking if this is the correct fix???? > > > > -- > View this message in context: > http://camel.465427.n5.nabble.com/camel-shiro-security-policy-with-alwaysReauthenticate-set-to-false-doesn-t-detect-seperate-user-loggn-tp5732043.html > Sent from the Camel - Users mailing list archive at Nabble.com. -- Claus Ibsen ----------------- Red Hat, Inc. FuseSource is now part of Red Hat Email: cib...@redhat.com Web: http://fusesource.com Twitter: davsclaus Blog: http://davsclaus.com Author of Camel in Action: http://www.manning.com/ibsen
