You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/05/25 12:37:14 UTC
[jira] [Commented] (SHIRO-435) SecurityManager is not a singleton
in ShiroWebModule
[ https://issues.apache.org/jira/browse/SHIRO-435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15299977#comment-15299977 ]
ASF GitHub Bot commented on SHIRO-435:
--------------------------------------
GitHub user schnatterer opened a pull request:
https://github.com/apache/shiro/pull/16
Apply patch for SHIRO-435
Applied the [suggested patch](https://issues.apache.org/jira/secure/attachment/12583053/SHIRO-435.path) for [SHIRO-435](https://issues.apache.org/jira/browse/SHIRO-435), after verifying it in a proprietary project.
[According to Pierre-Alexandre Meyer](https://issues.apache.org/jira/browse/SHIRO-435?focusedCommentId=14998934&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14998934), it has also been verified in [Kill Bill](https://github.com/killbill/killbill).
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/schnatterer/shiro master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/shiro/pull/16.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #16
----
commit 66545de6db43796e6673fc18e2cdeb1631c49486
Author: Johannes Schnatterer <jo...@triology.de>
Date: 2016-05-25T12:29:41Z
SHIRO-435: Fix the double SecurityManager singleton. Also prevent the same issue on Environment. Update test cases of ShiroWebModule accordingly. (Patch from https://issues.apache.org/jira/browse/SHIRO-435)
----
> SecurityManager is not a singleton in ShiroWebModule
> ----------------------------------------------------
>
> Key: SHIRO-435
> URL: https://issues.apache.org/jira/browse/SHIRO-435
> Project: Shiro
> Issue Type: Bug
> Components: Integration: Guice
> Affects Versions: 1.2.1
> Reporter: Laszlo Ferenczi
> Assignee: Jared Bunting
> Attachments: SHIRO-435.path
>
>
> While integrating Shiro to our guice based webapp I've noticed
> something strange. The module setup is pretty much the same as the
> example in the Guice page of Shiro's documentation. Only extra code is
> that I'm exposing the WebSecurityManager like this:
> public class AuthModule extends ShiroWebModule {
> public AuthModule(ServletContext servletContext) {
> super(servletContext);
> }
> @Override
> @SuppressWarnings("unchecked")
> protected void configureShiroWeb() {
> IniRealm iniRealm = new IniRealm(Ini.fromResourcePath("classpath:shiro.ini"));
> bindRealm().toInstance(iniRealm);
> expose(WebSecurityManager.class);
> }
> }
> A guice injected SecurityManager instance is not the same as the
> cached static SecurityManager in SecurityUtils.
> @Path("/Ping")
> @Singleton
> public class PingResource {
> @Inject
> SecurityManager sec;
> @Inject
> WebSecurityManager websec;
> @GET
> public void ping() {
> SecurityManager man = SecurityUtils.getSecurityManager();
> assert(man == websec);
> assert(man == sec);
> }
> }
> First assert passes, second fails. Debugger confirms that there are 2
> instances in memory, both of them are of type
> DefaultWebSecurityManager but only the WebSecurityManager instance
> works. Any meaningful operation on "sec" will fail (like an
> authorization check).
> I think the problem might be the double binding of SecurityManager(s).
> One is bound in ShiroModule another is in ShiroWebModule:
> in ShiroModule:
> public void configure() {
> // setup security manager
> bindSecurityManager(bind(SecurityManager.class));
> in ShiroWebModule:
> protected final void configureShiro() {
> ....
> bindWebSecurityManager(bind(WebSecurityManager.class));
> Both of these methods are running at init time, hence the duplicated singletons.
> It might be better if ShiroWebModule would overrinde the standard
> configure() method to avoid this double-binding.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)