You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Tommy Becker (Jira)" <ji...@apache.org> on 2020/03/11 17:02:00 UTC
[jira] [Comment Edited] (SHIRO-747) FirstSuccessfulStrategy doesn't
properly short circuit
[ https://issues.apache.org/jira/browse/SHIRO-747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17057214#comment-17057214 ]
Tommy Becker edited comment on SHIRO-747 at 3/11/20, 5:01 PM:
--------------------------------------------------------------
Sorry for the brevity [~bdemers]. I'm using Shiro 1.5.1, configured via Guice. Here's the relevant part:
{code:java}
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
ModularRealmAuthenticator authenticator = (ModularRealmAuthenticator) securityManager.getAuthenticator();
FirstSuccessfulStrategy authStrategy = new FirstSuccessfulStrategy();
authStrategy.setStopAfterFirstSuccess(true);
authenticator.setAuthenticationStrategy(authStrategy);
{code}
I verified it is configured correctly and being executed via debugger. This is what I was referring to in the description from {{FirstSuccessfulStrategy}} (comment mine):
{code:java}
public AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
if (getStopAfterFirstSuccess() && aggregate != null && isEmpty(aggregate.getPrincipals())) { // <-- Should this not be !isEmpty()??
throw new ShortCircuitIterationException();
}
return aggregate;
}
{code}
was (Author: twbecker):
Sorry for the brevity [~bdemers]. I'm using Shiro 1.5.1, configured via Guice. Here's the relevant part:
{code:java}
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
ModularRealmAuthenticator authenticator = (ModularRealmAuthenticator) securityManager.getAuthenticator();
FirstSuccessfulStrategy authStrategy = new FirstSuccessfulStrategy();
authStrategy.setStopAfterFirstSuccess(true);
authenticator.setAuthenticationStrategy(authStrategy);
{code}
I verified it is configured correctly and being executed via debugger. This is what I was referring to in the description (comment mine):
{code:java}
public AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
if (getStopAfterFirstSuccess() && aggregate != null && isEmpty(aggregate.getPrincipals())) { // <-- Should this not be !isEmpty()??
throw new ShortCircuitIterationException();
}
return aggregate;
}
{code}
> FirstSuccessfulStrategy doesn't properly short circuit
> ------------------------------------------------------
>
> Key: SHIRO-747
> URL: https://issues.apache.org/jira/browse/SHIRO-747
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.5.1
> Reporter: Tommy Becker
> Priority: Major
>
> SHIRO-669 supposedly added a method to skip subsequent authentications if one had already succeeded. But it doesn't work; it conditions throwing the ShortCircuitIterationException in beforeAttempt() in part on the PrincipalCollection being empty, which it will (properly) not be if an authentication has succeeded. I believe the check should be that the it is *not* empty. Was this tested??
--
This message was sent by Atlassian Jira
(v8.3.4#803005)