You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Tommy Becker (Jira)" <ji...@apache.org> on 2020/03/11 17:02:00 UTC

[jira] [Comment Edited] (SHIRO-747) FirstSuccessfulStrategy doesn't properly short circuit

    [ https://issues.apache.org/jira/browse/SHIRO-747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17057214#comment-17057214 ] 

Tommy Becker edited comment on SHIRO-747 at 3/11/20, 5:01 PM:
--------------------------------------------------------------

Sorry for the brevity [~bdemers].  I'm using Shiro 1.5.1, configured via Guice. Here's the relevant part:

{code:java}
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
ModularRealmAuthenticator authenticator = (ModularRealmAuthenticator) securityManager.getAuthenticator();
FirstSuccessfulStrategy authStrategy = new FirstSuccessfulStrategy();
authStrategy.setStopAfterFirstSuccess(true);
authenticator.setAuthenticationStrategy(authStrategy);
{code}

I verified it is configured correctly and being executed via debugger. This is what I was referring to in the description from {{FirstSuccessfulStrategy}} (comment mine):

{code:java}
    public AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
        if (getStopAfterFirstSuccess() && aggregate != null && isEmpty(aggregate.getPrincipals())) {  // <-- Should this not be !isEmpty()??
            throw new ShortCircuitIterationException();
        }
        return aggregate;
    }
{code}





was (Author: twbecker):
Sorry for the brevity [~bdemers].  I'm using Shiro 1.5.1, configured via Guice. Here's the relevant part:

{code:java}
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
ModularRealmAuthenticator authenticator = (ModularRealmAuthenticator) securityManager.getAuthenticator();
FirstSuccessfulStrategy authStrategy = new FirstSuccessfulStrategy();
authStrategy.setStopAfterFirstSuccess(true);
authenticator.setAuthenticationStrategy(authStrategy);
{code}

I verified it is configured correctly and being executed via debugger. This is what I was referring to in the description (comment mine):

{code:java}
    public AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
        if (getStopAfterFirstSuccess() && aggregate != null && isEmpty(aggregate.getPrincipals())) {  // <-- Should this not be !isEmpty()??
            throw new ShortCircuitIterationException();
        }
        return aggregate;
    }
{code}




> FirstSuccessfulStrategy doesn't properly short circuit
> ------------------------------------------------------
>
>                 Key: SHIRO-747
>                 URL: https://issues.apache.org/jira/browse/SHIRO-747
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Tommy Becker
>            Priority: Major
>
> SHIRO-669 supposedly added a method to skip subsequent authentications if one had already succeeded. But it doesn't work; it conditions throwing the ShortCircuitIterationException in beforeAttempt() in part on the PrincipalCollection being empty, which it will (properly) not be if an authentication has succeeded. I believe the check should be that the it is *not* empty. Was this tested??



--
This message was sent by Atlassian Jira
(v8.3.4#803005)