You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Laszlo Ferenczi (JIRA)" <ji...@apache.org> on 2013/05/04 22:44:16 UTC

[jira] [Created] (SHIRO-435) SecurityManager is not a singleton in ShiroWebModule

Laszlo Ferenczi created SHIRO-435:
-------------------------------------

             Summary: SecurityManager is not a singleton in ShiroWebModule
                 Key: SHIRO-435
                 URL: https://issues.apache.org/jira/browse/SHIRO-435
             Project: Shiro
          Issue Type: Bug
          Components: Integration: Guice
    Affects Versions: 1.2.1
            Reporter: Laszlo Ferenczi
            Assignee: Jared Bunting


While integrating Shiro to our guice based webapp I've noticed
something strange. The module setup is pretty much the same as the
example in the Guice page of Shiro's documentation. Only extra code is
that I'm exposing the WebSecurityManager like this:

public class AuthModule extends ShiroWebModule {

  public AuthModule(ServletContext servletContext) {
    super(servletContext);
  }

  @Override
  @SuppressWarnings("unchecked")
  protected void configureShiroWeb() {
    IniRealm iniRealm = new IniRealm(Ini.fromResourcePath("classpath:shiro.ini"));
    bindRealm().toInstance(iniRealm);
    expose(WebSecurityManager.class);
  }
}

A guice injected SecurityManager instance is not the same as the
cached static SecurityManager in SecurityUtils.

@Path("/Ping")
@Singleton
public class PingResource {
  @Inject
  SecurityManager sec;

  @Inject
  WebSecurityManager websec;

  @GET
  public void ping() {
    SecurityManager man = SecurityUtils.getSecurityManager();

    assert(man == websec);
    assert(man == sec);
  }
}

First assert passes, second fails. Debugger confirms that there are 2
instances in memory, both of them are of type
DefaultWebSecurityManager but only the WebSecurityManager instance
works. Any meaningful operation on "sec" will fail (like an
authorization check).

I think the problem might be the double binding of SecurityManager(s).
One is bound in ShiroModule another is in ShiroWebModule:

in ShiroModule:

public void configure() {
  // setup security manager
  bindSecurityManager(bind(SecurityManager.class));

in ShiroWebModule:

protected final void configureShiro() {
  ....
  bindWebSecurityManager(bind(WebSecurityManager.class));

Both of these methods are running at init time, hence the duplicated singletons.

It might be better if ShiroWebModule would overrinde the standard
configure() method to avoid this double-binding.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira