You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by lh...@apache.org on 2012/07/24 18:58:54 UTC
svn commit: r1365167 - in /shiro/branches/1.2.x/web/src:
main/java/org/apache/shiro/web/mgt/ test/java/org/apache/shiro/web/mgt/
Author: lhazlewood
Date: Tue Jul 24 16:58:54 2012
New Revision: 1365167
URL: http://svn.apache.org/viewvc?rev=1365167&view=rev
Log:
SHIRO-350: Prevented session storage when the subject is a non-web subject and the session manager is a web-only session manager.
Modified:
shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSecurityManager.java
shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSessionStorageEvaluator.java
shiro/branches/1.2.x/web/src/test/java/org/apache/shiro/web/mgt/DefaultWebSecurityManagerTest.java
Modified: shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSecurityManager.java
URL: http://svn.apache.org/viewvc/shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSecurityManager.java?rev=1365167&r1=1365166&r2=1365167&view=diff
==============================================================================
--- shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSecurityManager.java (original)
+++ shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSecurityManager.java Tue Jul 24 16:58:54 2012
@@ -20,6 +20,8 @@ package org.apache.shiro.web.mgt;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.DefaultSubjectDAO;
+import org.apache.shiro.mgt.SessionStorageEvaluator;
+import org.apache.shiro.mgt.SubjectDAO;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.session.mgt.SessionContext;
import org.apache.shiro.session.mgt.SessionKey;
@@ -92,6 +94,31 @@ public class DefaultWebSecurityManager e
}
@Override
+ //since 1.2.1 for fixing SHIRO-350
+ public void setSubjectDAO(SubjectDAO subjectDAO) {
+ super.setSubjectDAO(subjectDAO);
+ applySessionManagerToSessionStorageEvaluatorIfPossible();
+ }
+
+ //since 1.2.1 for fixing SHIRO-350
+ @Override
+ protected void afterSessionManagerSet() {
+ super.afterSessionManagerSet();
+ applySessionManagerToSessionStorageEvaluatorIfPossible();
+ }
+
+ //since 1.2.1 for fixing SHIRO-350:
+ private void applySessionManagerToSessionStorageEvaluatorIfPossible() {
+ SubjectDAO subjectDAO = getSubjectDAO();
+ if (subjectDAO instanceof DefaultSubjectDAO) {
+ SessionStorageEvaluator evaluator = ((DefaultSubjectDAO)subjectDAO).getSessionStorageEvaluator();
+ if (evaluator instanceof DefaultWebSessionStorageEvaluator) {
+ ((DefaultWebSessionStorageEvaluator)evaluator).setSessionManager(getSessionManager());
+ }
+ }
+ }
+
+ @Override
protected SubjectContext copy(SubjectContext subjectContext) {
if (subjectContext instanceof WebSubjectContext) {
return new DefaultWebSubjectContext((WebSubjectContext) subjectContext);
Modified: shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSessionStorageEvaluator.java
URL: http://svn.apache.org/viewvc/shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSessionStorageEvaluator.java?rev=1365167&r1=1365166&r2=1365167&view=diff
==============================================================================
--- shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSessionStorageEvaluator.java (original)
+++ shiro/branches/1.2.x/web/src/main/java/org/apache/shiro/web/mgt/DefaultWebSessionStorageEvaluator.java Tue Jul 24 16:58:54 2012
@@ -19,7 +19,10 @@
package org.apache.shiro.web.mgt;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
+import org.apache.shiro.session.mgt.NativeSessionManager;
+import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.subject.Subject;
+import org.apache.shiro.web.subject.WebSubject;
import org.apache.shiro.web.util.WebUtils;
/**
@@ -45,6 +48,19 @@ import org.apache.shiro.web.util.WebUtil
*/
public class DefaultWebSessionStorageEvaluator extends DefaultSessionStorageEvaluator {
+ //since 1.2.1
+ private SessionManager sessionManager;
+
+ /**
+ * Sets the session manager to use when checking to see if session storage is possible.
+ * @param sessionManager the session manager instance for checking.
+ * @since 1.2.1
+ */
+ //package protected on purpose to maintain point-version compatibility: (1.2.3 -> 1.2.1 should work always).
+ void setSessionManager(SessionManager sessionManager) {
+ this.sessionManager = sessionManager;
+ }
+
/**
* Returns {@code true} if session storage is generally available (as determined by the super class's global
* configuration property {@link #isSessionStorageEnabled()} and no request-specific override has turned off
@@ -71,6 +87,12 @@ public class DefaultWebSessionStorageEva
return false;
}
+ //SHIRO-350: non-web subject instances can't be saved to web-only session managers:
+ //since 1.2.1:
+ if (!(subject instanceof WebSubject) && (this.sessionManager != null && !(this.sessionManager instanceof NativeSessionManager))) {
+ return false;
+ }
+
return WebUtils._isSessionCreationEnabled(subject);
}
Modified: shiro/branches/1.2.x/web/src/test/java/org/apache/shiro/web/mgt/DefaultWebSecurityManagerTest.java
URL: http://svn.apache.org/viewvc/shiro/branches/1.2.x/web/src/test/java/org/apache/shiro/web/mgt/DefaultWebSecurityManagerTest.java?rev=1365167&r1=1365166&r2=1365167&view=diff
==============================================================================
--- shiro/branches/1.2.x/web/src/test/java/org/apache/shiro/web/mgt/DefaultWebSecurityManagerTest.java (original)
+++ shiro/branches/1.2.x/web/src/test/java/org/apache/shiro/web/mgt/DefaultWebSecurityManagerTest.java Tue Jul 24 16:58:54 2012
@@ -20,11 +20,16 @@ package org.apache.shiro.web.mgt;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.Ini;
+import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.session.ExpiredSessionException;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.AbstractSessionManager;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
+import org.apache.shiro.util.LifecycleUtils;
+import org.apache.shiro.web.config.WebIniSecurityManagerFactory;
import org.apache.shiro.web.servlet.ShiroHttpSession;
import org.apache.shiro.web.session.mgt.WebSessionManager;
import org.apache.shiro.web.subject.WebSubject;
@@ -211,4 +216,25 @@ public class DefaultWebSecurityManagerTe
verify(mockResponse);
}
+ /**
+ * Asserts fix for <a href="https://issues.apache.org/jira/browse/SHIRO-350">SHIRO-350</a>.
+ */
+ @Test
+ public void testBuildNonWebSubjectWithDefaultServletContainerSessionManager() {
+
+ Ini ini = new Ini();
+ Ini.Section section = ini.addSection(IniRealm.USERS_SECTION_NAME);
+ section.put("user1", "user1");
+
+ WebIniSecurityManagerFactory factory = new WebIniSecurityManagerFactory(ini);
+
+ WebSecurityManager securityManager = (WebSecurityManager)factory.getInstance();
+
+ PrincipalCollection principals = new SimplePrincipalCollection("user1", "iniRealm");
+ Subject subject = new Subject.Builder(securityManager).principals(principals).buildSubject();
+
+ assertNotNull(subject);
+ assertEquals("user1", subject.getPrincipal());
+ }
+
}