How to handle/listen for subject.runAs() like AuthenticationListener

[JMalkan <JM...@mail.com>]

Hi,

I am relatively new to Shiro (3 weeks)
I am implementing user impersonation functionality where admin can visualize
the system as an user from a particular role/permission.

This is a very nice Shiro feature. It would have been very hard to implement
this without framework support.

One of the things we do in our authentication process is to set small piece
of user data (see below code sample) in the session via
AuthenticationListener.onSuccess().

Code to read token and retrieve profile from data source.
subject.getSession().setAttribute("USER_PROFILE", profile);

This Listener does not get invoked when subject.runAs(principals) is called.
Currently I have AuthenticationListener.onSuccess() logic in 3 places.

I could think of 3 possible solutions in the Shiro Framework.

1. Execute AuthenticationListener methods treating subject.runAs() like an
login attempt.
2. Add additional methods on the AuthenticationListener to differentiate
between login and runAs attempts.
3. Have a separate interface like AuthenticationRunAsListener.


I would appreciate if someone could guide me in the right direction.


Jiggy.
-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-handle-listen-for-subject-runAs-like-AuthenticationListener-tp5717899p5717899.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: How to handle/listen for subject.runAs() like AuthenticationListener

[Les Hazlewood <lh...@apache.org>]

Hi Jiggy,

Currently Shiro does not have support for the notion of RunAs events.  I
encourage you to open a Jira issue if you would like to see this as a new
feature.

In the meantime, you can side-step this for now is to use your own event
listener mechanism.  Since you control when subject.runAs is called, you can
immediately trigger your own event right after that method is called.  Your
listeners would then react accordingly.

HTH,

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and
Training:
http://www.katasoft.com

On Mon, Nov 8, 2010 at 9:54 AM, JMalkan <JM...@mail.com> wrote:

>
> Hi,
>
> I am relatively new to Shiro (3 weeks)
> I am implementing user impersonation functionality where admin can
> visualize
> the system as an user from a particular role/permission.
>
> This is a very nice Shiro feature. It would have been very hard to
> implement
> this without framework support.
>
> One of the things we do in our authentication process is to set small piece
> of user data (see below code sample) in the session via
> AuthenticationListener.onSuccess().
>
> Code to read token and retrieve profile from data source.
> subject.getSession().setAttribute("USER_PROFILE", profile);
>
> This Listener does not get invoked when subject.runAs(principals) is
> called.
> Currently I have AuthenticationListener.onSuccess() logic in 3 places.
>
> I could think of 3 possible solutions in the Shiro Framework.
>
> 1. Execute AuthenticationListener methods treating subject.runAs() like an
> login attempt.
> 2. Add additional methods on the AuthenticationListener to differentiate
> between login and runAs attempts.
> 3. Have a separate interface like AuthenticationRunAsListener.
>
>
> I would appreciate if someone could guide me in the right direction.
>
>
> Jiggy.
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/How-to-handle-listen-for-subject-runAs-like-AuthenticationListener-tp5717899p5717899.html
> Sent from the Shiro User mailing list archive at Nabble.com.