You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by martinso <ma...@mjukkultur.se> on 2011/04/04 17:09:56 UTC
Mixing web contexts and non-web contexts in same JVM
Hi,
We are successfully using the DefaultWebSecurityManager in our custom app
server (embedding jetty) to handle user web requests. Now we also have a
proprietary "non-web" service running inside the JVM in which threads should
also be executed in a Shiro context, typically for "automated agent" shiro
users and totally unrelated to any web sessions.
What are the best practices for mixing two scenarios like this in a single
JVM where isolation with ClassLoaders is not an option? Can the
DefaultWebSecurityManager be used also in the non-web threads, or do we need
another solution?
Any help much appreciated.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6238960.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Mixing web contexts and non-web contexts in same JVM
Posted by martinso <ma...@mjukkultur.se>.
Lez,
That's great news! Thanks a million for pointing me right.
/Martin
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6240061.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Mixing web contexts and non-web contexts in same JVM
Posted by Les Hazlewood <lh...@apache.org>.
Hi Martin,
The DefaultWebSecurityManager can be used w/ non-web threads: if the
current Subject is not a web subject, the DWSM will delegate to its
parent class, which of course does work in non-web environments.
The key to ensuring this works cleanly is to ensure that thread
cleanup occurs before and after the non-web thread executes. This is
covered in the Subject documentation
(http://shiro.apache.org/subject.html) - see the "Custom Subject
Instances" part, along with the Thread Association sections.
You basically would use a Subject.Builder to construct a Subject
instance, and then call Subject.execute* to ensure the subject is
bound to the thread and removed from the thread before/after
execution. This is what the Shiro Filter does in a web app, but
something you'd need to do yourself for non-web-request scenarios.
HTH!
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Mon, Apr 4, 2011 at 8:09 AM, martinso <ma...@mjukkultur.se> wrote:
> Hi,
>
> We are successfully using the DefaultWebSecurityManager in our custom app
> server (embedding jetty) to handle user web requests. Now we also have a
> proprietary "non-web" service running inside the JVM in which threads should
> also be executed in a Shiro context, typically for "automated agent" shiro
> users and totally unrelated to any web sessions.
>
> What are the best practices for mixing two scenarios like this in a single
> JVM where isolation with ClassLoaders is not an option? Can the
> DefaultWebSecurityManager be used also in the non-web threads, or do we need
> another solution?
>
> Any help much appreciated.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6238960.html
> Sent from the Shiro User mailing list archive at Nabble.com.