You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by "jethwani.bipin@gmail.com" <je...@gmail.com> on 2013/05/05 15:40:41 UTC

camel shiro security policy with alwaysReauthenticate set to false doesn't detect seperate user logging-in

Here's the code which I had to re-work to make it work for
me.apache-camel-2.10.4ShiroSecurityPolicy.authenticateUser
*It was:*	private void authenticateUser(Subject currentUser,
ShiroSecurityToken securityToken) {    		if (!currentUser.isAuthenticated())
{			...			currentUser.login(token);			...		}*New:*	private void
authenticateUser(Subject currentUser, ShiroSecurityToken securityToken) {    	
if (!currentUser.isAuthenticated() || 			(currentUser.isAuthenticated() &&
!((String)currentUser.getPrincipal()).equals(securityToken.getUsername())))
{			...			currentUser.login(token);			...		}
I have Java remoting built on activemq and camel using camel bean
invocation.There's a route from direct component to jms on client side which
injects the shiro security token (nothing special there)And on the other
side I have a route from jms to bean which has policy(shiroSecurityPolicy)
check using a custom realm.And I noticed that new user is not detected when
user changes on the client side and it was kind of security risk as it was
allowing invalid user to pass through.Now I have limited experience with
apache shiro, so thought of checking if this is the correct fix????



--
View this message in context: http://camel.465427.n5.nabble.com/camel-shiro-security-policy-with-alwaysReauthenticate-set-to-false-doesn-t-detect-seperate-user-loggn-tp5732043.html
Sent from the Camel - Users mailing list archive at Nabble.com.

Re: camel shiro security policy with alwaysReauthenticate set to false doesn't detect seperate user logging-in

Posted by Claus Ibsen <cl...@gmail.com>.

I logged a ticket
https://issues.apache.org/jira/browse/CAMEL-6352

On Mon, May 6, 2013 at 7:30 AM, Claus Ibsen <cl...@gmail.com> wrote:
> Hi
>
> Yeah well spotted.
>
> Not sure if you need to logout the old users when you detect a new user?
> Anyway fell free to log a JIRA ticket and attach a patch with the fix.
> http://camel.apache.org/support
>
>
>
> On Sun, May 5, 2013 at 3:40 PM, jethwani.bipin@gmail.com
> <je...@gmail.com> wrote:
>> Here's the code which I had to re-work to make it work for
>> me.apache-camel-2.10.4ShiroSecurityPolicy.authenticateUser
>> *It was:*       private void authenticateUser(Subject currentUser,
>> ShiroSecurityToken securityToken) {             if (!currentUser.isAuthenticated())
>> {                       ...                     currentUser.login(token);                       ...             }*New:* private void
>> authenticateUser(Subject currentUser, ShiroSecurityToken securityToken) {
>> if (!currentUser.isAuthenticated() ||                   (currentUser.isAuthenticated() &&
>> !((String)currentUser.getPrincipal()).equals(securityToken.getUsername())))
>> {                       ...                     currentUser.login(token);                       ...             }
>> I have Java remoting built on activemq and camel using camel bean
>> invocation.There's a route from direct component to jms on client side which
>> injects the shiro security token (nothing special there)And on the other
>> side I have a route from jms to bean which has policy(shiroSecurityPolicy)
>> check using a custom realm.And I noticed that new user is not detected when
>> user changes on the client side and it was kind of security risk as it was
>> allowing invalid user to pass through.Now I have limited experience with
>> apache shiro, so thought of checking if this is the correct fix????
>>
>>
>>
>> --
>> View this message in context: http://camel.465427.n5.nabble.com/camel-shiro-security-policy-with-alwaysReauthenticate-set-to-false-doesn-t-detect-seperate-user-loggn-tp5732043.html
>> Sent from the Camel - Users mailing list archive at Nabble.com.
>
>
>
> --
> Claus Ibsen
> -----------------
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Email: cibsen@redhat.com
> Web: http://fusesource.com
> Twitter: davsclaus
> Blog: http://davsclaus.com
> Author of Camel in Action: http://www.manning.com/ibsen



-- 
Claus Ibsen
-----------------
Red Hat, Inc.
FuseSource is now part of Red Hat
Email: cibsen@redhat.com
Web: http://fusesource.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen

Re: camel shiro security policy with alwaysReauthenticate set to false doesn't detect seperate user logging-in

Posted by Claus Ibsen <cl...@gmail.com>.

Hi

Yeah well spotted.

Not sure if you need to logout the old users when you detect a new user?
Anyway fell free to log a JIRA ticket and attach a patch with the fix.
http://camel.apache.org/support



On Sun, May 5, 2013 at 3:40 PM, jethwani.bipin@gmail.com
<je...@gmail.com> wrote:
> Here's the code which I had to re-work to make it work for
> me.apache-camel-2.10.4ShiroSecurityPolicy.authenticateUser
> *It was:*       private void authenticateUser(Subject currentUser,
> ShiroSecurityToken securityToken) {             if (!currentUser.isAuthenticated())
> {                       ...                     currentUser.login(token);                       ...             }*New:* private void
> authenticateUser(Subject currentUser, ShiroSecurityToken securityToken) {
> if (!currentUser.isAuthenticated() ||                   (currentUser.isAuthenticated() &&
> !((String)currentUser.getPrincipal()).equals(securityToken.getUsername())))
> {                       ...                     currentUser.login(token);                       ...             }
> I have Java remoting built on activemq and camel using camel bean
> invocation.There's a route from direct component to jms on client side which
> injects the shiro security token (nothing special there)And on the other
> side I have a route from jms to bean which has policy(shiroSecurityPolicy)
> check using a custom realm.And I noticed that new user is not detected when
> user changes on the client side and it was kind of security risk as it was
> allowing invalid user to pass through.Now I have limited experience with
> apache shiro, so thought of checking if this is the correct fix????
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/camel-shiro-security-policy-with-alwaysReauthenticate-set-to-false-doesn-t-detect-seperate-user-loggn-tp5732043.html
> Sent from the Camel - Users mailing list archive at Nabble.com.



-- 
Claus Ibsen
-----------------
Red Hat, Inc.
FuseSource is now part of Red Hat
Email: cibsen@redhat.com
Web: http://fusesource.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen