Mixing web contexts and non-web contexts in same JVM

[martinso <ma...@mjukkultur.se>]

Hi,

We are successfully using the DefaultWebSecurityManager in our custom app
server (embedding jetty) to handle user web requests. Now we also have a
proprietary "non-web" service running inside the JVM in which threads should
also be executed in a Shiro context, typically for "automated agent" shiro
users and totally unrelated to any web sessions.

What are the best practices for mixing two scenarios like this in a single
JVM where isolation with ClassLoaders is not an option? Can the
DefaultWebSecurityManager be used also in the non-web threads, or do we need
another solution?

Any help much appreciated.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6238960.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Mixing web contexts and non-web contexts in same JVM

[martinso <ma...@mjukkultur.se>]

Lez,

That's great news! Thanks a million for pointing me right.

/Martin

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6240061.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Mixing web contexts and non-web contexts in same JVM

[Les Hazlewood <lh...@apache.org>]

Hi Martin,

The DefaultWebSecurityManager can be used w/ non-web threads: if the
current Subject is not a web subject, the DWSM will delegate to its
parent class, which of course does work in non-web environments.

The key to ensuring this works cleanly is to ensure that thread
cleanup occurs before and after the non-web thread executes.  This is
covered in the Subject documentation
(http://shiro.apache.org/subject.html) - see the "Custom Subject
Instances" part, along with the Thread Association sections.

You basically would use a Subject.Builder to construct a Subject
instance, and then call Subject.execute* to ensure the subject is
bound to the thread and removed from the thread before/after
execution.  This is what the Shiro Filter does in a web app, but
something you'd need to do yourself for non-web-request scenarios.

HTH!

-- 
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com

On Mon, Apr 4, 2011 at 8:09 AM, martinso <ma...@mjukkultur.se> wrote:
> Hi,
>
> We are successfully using the DefaultWebSecurityManager in our custom app
> server (embedding jetty) to handle user web requests. Now we also have a
> proprietary "non-web" service running inside the JVM in which threads should
> also be executed in a Shiro context, typically for "automated agent" shiro
> users and totally unrelated to any web sessions.
>
> What are the best practices for mixing two scenarios like this in a single
> JVM where isolation with ClassLoaders is not an option? Can the
> DefaultWebSecurityManager be used also in the non-web threads, or do we need
> another solution?
>
> Any help much appreciated.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6238960.html
> Sent from the Shiro User mailing list archive at Nabble.com.