You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by ApacheNinja <dp...@gmail.com> on 2013/04/10 21:06:48 UTC

Issues with the isPermitted() method and DefaultSecurityManager

Hello,

I have been running into a few issues with Apache Shiro.  The description is
as follows:

ISSUE 1:

I have implemented a class called AuthorizerImpl that contains two objects:
an AuthorizingRealm and a Subject.  We have implemented an isPermitted()
method which subsequently calls the isPermitted() method on the subject. 
Our code looks something like this:

// UserContext object uc is passed in here  
AuthorizerImpl auth = new AuthorizerImpl(uc.getUser()); 
auth.isPermitted("winnebago:drive:eagle5");


We initially log in and authenticate a user's permissions using the above
code.  The first time a user logs in, it is a a "base user" so to speak. 
There are certain screens that are specific to certain users, so we call the
above code again with a different uc.getUser() to verify the new users
permissions.   What I am seeing though is that the backend Shiro code is
using the previous user to check the permissions, not the new user that I
passed into the isPermitted() method.   Each time we are calling "new
AuthorizerImpl(uc.getUser())" we are creating a new Subject and
AuthorizingRealm that are instance variables inside the AuthorizingRealm
object. It was my impression that when I create a new AuthorizerImpl, it
should use the new subject and realm that we are creating in the
constructor.  However, it seems that Shiro is caching the previous realm
object that was used and is using that?  We are using the
DefaultSecurityManager.  After doing some debugging,  I noticed that the
DefaultSecurityManager has an authorizer instance variable.  It appears to
be using the first authorizer object and not the new one that should be
created with the new user, which leads me to believe it is is being cached. 
Is there a way to turn off this caching?   Is this what is happening or is
it something else?


ISSUE 2:

We are seeing the following stack trace sporadically in our logs.  I have
done some research on the internet and seen other people come up with this
error where no session ID can be found.  What is the cause of this and how
can it be resolved?

[2013/04/08 11:38:24.806] Exception while checking user permissions for user
exception message: There is no session with id
[b06a5424-29ce-4cf3-9cea-300cb3aca4d0]
[2013/04/08 11:38:24.806] org.apache.shiro.session.UnknownSessionException:
There is no session with id [b06a5424-29ce-4cf3-9cea-300cb3aca4d0]
[2013/04/08 11:38:24.806]     at
org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170)
[2013/04/08 11:38:24.806]     at
org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236)

 
We are using Caucho Resin as our web server.  Thank you in advance.




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Issues-with-the-isPermitted-method-and-DefaultSecurityManager-tp7578571.html
Sent from the Shiro User mailing list archive at Nabble.com.