You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by Brian Demers <br...@gmail.com> on 2010/05/11 15:33:27 UTC

Status of 'Run As'?

Hey guys,

I was just wondering the status of 'Run As' support (Assume Identity, I
think there where a few other terms that where thrown around too)
https://issues.apache.org/jira/browse/SHIRO-25

I took a look at that patches and reread the previous threads.  I am
assuming this isn't going to make the 1.0 ( can we bump the jira 'fix for'
version? )

To get this support in the past.  I have done the following:

        DelegatingSubject fakeLoggedInSubject = new DelegatingSubject(
principal, /* authenticated */ true, null, null, /* Non-web */
securityManager );
        // fake the login
        ThreadContext.bind( fakeLoggedInSubject );


We are not using this in production yet, but in my web app I need to use two
different SecurityManagers, one for the Web (bound to http requests) and the
default one, for this 'run as' support.  We would be using the 'run as' to
run scheduled task (so there is no access to http requests)

Are there flaws behind this approach?

Will / does the the official support for this get around the
WebSecurityManagers need for a http request?

Thanks,
Brian

Re: Status of 'Run As'?

Posted by Brian Demers <br...@gmail.com>.

Les,

Thanks for the pointers, this helps a lot!


On Tue, May 11, 2010 at 1:31 PM, Les Hazlewood <lh...@apache.org>wrote:

> Hi Brian,
>
> 'Run As' is intended to make it in to 1.0 - it's my last decent
> programming task to clear 1.0 and I'll be working on it today.  It is
> more than halfway done in the DelegatingSubject implementation - its
> just those methods won't be made available in the Subject interface
> until they're finished.
>
> Also, everyone should try to avoid using the ThreadContext as much as
> possible as its usages can be brittle.  The Subject interface has the
> execute* and associateWith* methods which perform the thread binding
> and unbinding automatically in all cases and those should be used
> depending on your needs.  If you still feel that you must create your
> own Subject instance, the way to do that is via the Subject.Builder
> mechanism.
>
> That's documented here:
> https://cwiki.apache.org/confluence/display/SHIRO/Subject
>
> Look for the 'Subject.Builder' section - the recommended approach is
> the 'Automatic Association' and 'A Different Thread' sections ('Manual
> Association' is best left for very low level framework work).
>
> But all this might not even be necessary for you - you should check
> out the new Executor/ExecutorService/ScheduledExecutorService support
> new to 1.0 (not yet documented in the wiki) located in the
> org.apache.shiro.concurrent package.  They are JavaDoc'd already and
> explain exactly why you might want to use one.
>
> Finally, as for the WebSecurityManagers failing for non-request-based
> interaction, that has been resolved in
> https://issues.apache.org/jira/browse/SHIRO-111
>
> If a method is called that requires a request/response pair, and that
> pair is not available for some reason, the web-specific method is not
> called and only the superclass (DefaultSecurityManager) logic
> executes.  The same principal exists in the DefaultWebSessionManager
> if using native sessions as well.
>
> HTH!
>
> Les
>
> On Tue, May 11, 2010 at 6:33 AM, Brian Demers <br...@gmail.com>
> wrote:
> > Hey guys,
> >
> > I was just wondering the status of 'Run As' support (Assume Identity, I
> > think there where a few other terms that where thrown around too)
> > https://issues.apache.org/jira/browse/SHIRO-25
> >
> > I took a look at that patches and reread the previous threads.  I am
> > assuming this isn't going to make the 1.0 ( can we bump the jira 'fix
> for'
> > version? )
> >
> > To get this support in the past.  I have done the following:
> >
> >        DelegatingSubject fakeLoggedInSubject = new DelegatingSubject(
> > principal, /* authenticated */ true, null, null, /* Non-web */
> > securityManager );
> >        // fake the login
> >        ThreadContext.bind( fakeLoggedInSubject );
> >
> >
> > We are not using this in production yet, but in my web app I need to use
> two
> > different SecurityManagers, one for the Web (bound to http requests) and
> the
> > default one, for this 'run as' support.  We would be using the 'run as'
> to
> > run scheduled task (so there is no access to http requests)
> >
> > Are there flaws behind this approach?
> >
> > Will / does the the official support for this get around the
> > WebSecurityManagers need for a http request?
> >
> > Thanks,
> > Brian
> >
>

Re: Status of 'Run As'?

Posted by Les Hazlewood <lh...@apache.org>.

Hi Brian,

'Run As' is intended to make it in to 1.0 - it's my last decent
programming task to clear 1.0 and I'll be working on it today.  It is
more than halfway done in the DelegatingSubject implementation - its
just those methods won't be made available in the Subject interface
until they're finished.

Also, everyone should try to avoid using the ThreadContext as much as
possible as its usages can be brittle.  The Subject interface has the
execute* and associateWith* methods which perform the thread binding
and unbinding automatically in all cases and those should be used
depending on your needs.  If you still feel that you must create your
own Subject instance, the way to do that is via the Subject.Builder
mechanism.

That's documented here:
https://cwiki.apache.org/confluence/display/SHIRO/Subject

Look for the 'Subject.Builder' section - the recommended approach is
the 'Automatic Association' and 'A Different Thread' sections ('Manual
Association' is best left for very low level framework work).

But all this might not even be necessary for you - you should check
out the new Executor/ExecutorService/ScheduledExecutorService support
new to 1.0 (not yet documented in the wiki) located in the
org.apache.shiro.concurrent package.  They are JavaDoc'd already and
explain exactly why you might want to use one.

Finally, as for the WebSecurityManagers failing for non-request-based
interaction, that has been resolved in
https://issues.apache.org/jira/browse/SHIRO-111

If a method is called that requires a request/response pair, and that
pair is not available for some reason, the web-specific method is not
called and only the superclass (DefaultSecurityManager) logic
executes.  The same principal exists in the DefaultWebSessionManager
if using native sessions as well.

HTH!

Les

On Tue, May 11, 2010 at 6:33 AM, Brian Demers <br...@gmail.com> wrote:
> Hey guys,
>
> I was just wondering the status of 'Run As' support (Assume Identity, I
> think there where a few other terms that where thrown around too)
> https://issues.apache.org/jira/browse/SHIRO-25
>
> I took a look at that patches and reread the previous threads.  I am
> assuming this isn't going to make the 1.0 ( can we bump the jira 'fix for'
> version? )
>
> To get this support in the past.  I have done the following:
>
>        DelegatingSubject fakeLoggedInSubject = new DelegatingSubject(
> principal, /* authenticated */ true, null, null, /* Non-web */
> securityManager );
>        // fake the login
>        ThreadContext.bind( fakeLoggedInSubject );
>
>
> We are not using this in production yet, but in my web app I need to use two
> different SecurityManagers, one for the Web (bound to http requests) and the
> default one, for this 'run as' support.  We would be using the 'run as' to
> run scheduled task (so there is no access to http requests)
>
> Are there flaws behind this approach?
>
> Will / does the the official support for this get around the
> WebSecurityManagers need for a http request?
>
> Thanks,
> Brian
>