Details

      Description

      Right after SecurityUtils.getSubject().runAs(new new SimplePrincipalCollection()

      {...}

      )

      SecurityUtils.getSubject().getPrincipal() returns correct new Principal
      SecurityUtils.getSubject()..getPreviousPrincipals() returns correct original Principal

      but DefaultSubjectDAO merge principals in method

      protected void mergePrincipals(Subject subject) {
      PrincipalCollection currentPrincipals = subject.getPrincipals();
      ...
      if (session == null)

      { ... }

      else {
      PrincipalCollection existingPrincipals = (PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
      if (CollectionUtils.isEmpty(currentPrincipals))

      { ... }

      else {
      if (!currentPrincipals.equals(existingPrincipals))

      { session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals); }

      }
      }

      and after that
      SecurityUtils.getSubject().getPrincipal() and SecurityUtils.getSubject().getPreviousPrincipals() both returns new Principal - this is wrong behavior

      1. SubjectDAO.java
        2 kB
        Marinus Geuze

        Issue Links

          Activity

          Hide
          Dan Finkelstein added a comment -

          When trying to upgrade to 1.2, I came across a similar issue. Hopefully, this will help track down the issue.

          My app invokes runAs() on a subject (so that an admin can become a user). Then, later when the subject wishes revert to "as before", I invoke releaseRunAs() but it has no effect under 1.2. The subject remains unchanged.

          Show
          Dan Finkelstein added a comment - When trying to upgrade to 1.2, I came across a similar issue. Hopefully, this will help track down the issue. My app invokes runAs() on a subject (so that an admin can become a user). Then, later when the subject wishes revert to "as before", I invoke releaseRunAs() but it has no effect under 1.2. The subject remains unchanged.
          Hide
          Marinus Geuze added a comment -

          Hi,

          I could not wait till this bug is fixed. So I fixed it myself by subclassing the DefaultSubjectDAO. I attached the code which fixed the bug. You are of course free to use it.

          Greets,
          Marinus

          Show
          Marinus Geuze added a comment - Hi, I could not wait till this bug is fixed. So I fixed it myself by subclassing the DefaultSubjectDAO. I attached the code which fixed the bug. You are of course free to use it. Greets, Marinus
          Hide
          Marinus Geuze added a comment -

          Fix for this bug, implemented by subclassing Shiro class.

          Show
          Marinus Geuze added a comment - Fix for this bug, implemented by subclassing Shiro class.
          Hide
          Les Hazlewood added a comment -

          Great - thanks for the submission!

          Show
          Les Hazlewood added a comment - Great - thanks for the submission!
          Hide
          Les Hazlewood added a comment -

          The final fix was to handle this in the DelegatingSubject implementation directly.

          The updates to DefaultSubjectDAO were not necessary because the merge logic in that class ensures that the fields in the Subject instance would be saved in the session if not already saved. The runAsPrincipals now always reside in the Session so that isn't necessary.

          Please try out 1.2.1-SNAPSHOT or 1.3.0-SNAPSHOT and let us know if you have any problems! If you do, feel free to reopen this issue and leave comments as to why it didn't work for you (the DelegatingSubjectTest class is more robust on its runAs tests, so we should be ok).

          Show
          Les Hazlewood added a comment - The final fix was to handle this in the DelegatingSubject implementation directly. The updates to DefaultSubjectDAO were not necessary because the merge logic in that class ensures that the fields in the Subject instance would be saved in the session if not already saved. The runAsPrincipals now always reside in the Session so that isn't necessary. Please try out 1.2.1-SNAPSHOT or 1.3.0-SNAPSHOT and let us know if you have any problems! If you do, feel free to reopen this issue and leave comments as to why it didn't work for you (the DelegatingSubjectTest class is more robust on its runAs tests, so we should be ok).
          Hide
          Les Hazlewood added a comment -

          Closing per the 1.2.1 release.

          Show
          Les Hazlewood added a comment - Closing per the 1.2.1 release.

            People

            • Assignee:
              Les Hazlewood
              Reporter:
              yourik
            • Votes:
              5 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development