Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-435

SecurityManager is not a singleton in ShiroWebModule

    XMLWordPrintableJSON

Details

    Description

      While integrating Shiro to our guice based webapp I've noticed
      something strange. The module setup is pretty much the same as the
      example in the Guice page of Shiro's documentation. Only extra code is
      that I'm exposing the WebSecurityManager like this:

      public class AuthModule extends ShiroWebModule {

      public AuthModule(ServletContext servletContext)

      { super(servletContext); }

      @Override
      @SuppressWarnings("unchecked")
      protected void configureShiroWeb()

      { IniRealm iniRealm = new IniRealm(Ini.fromResourcePath("classpath:shiro.ini")); bindRealm().toInstance(iniRealm); expose(WebSecurityManager.class); }

      }

      A guice injected SecurityManager instance is not the same as the
      cached static SecurityManager in SecurityUtils.

      @Path("/Ping")
      @Singleton
      public class PingResource {
      @Inject
      SecurityManager sec;

      @Inject
      WebSecurityManager websec;

      @GET
      public void ping()

      { SecurityManager man = SecurityUtils.getSecurityManager(); assert(man == websec); assert(man == sec); }

      }

      First assert passes, second fails. Debugger confirms that there are 2
      instances in memory, both of them are of type
      DefaultWebSecurityManager but only the WebSecurityManager instance
      works. Any meaningful operation on "sec" will fail (like an
      authorization check).

      I think the problem might be the double binding of SecurityManager(s).
      One is bound in ShiroModule another is in ShiroWebModule:

      in ShiroModule:

      public void configure() {
      // setup security manager
      bindSecurityManager(bind(SecurityManager.class));

      in ShiroWebModule:

      protected final void configureShiro() {
      ....
      bindWebSecurityManager(bind(WebSecurityManager.class));

      Both of these methods are running at init time, hence the duplicated singletons.

      It might be better if ShiroWebModule would overrinde the standard
      configure() method to avoid this double-binding.

      Attachments

        1. SHIRO-435.path
          3 kB
          picpoc

        Issue Links

          Activity

            People

              deraj123 Jared Bunting
              lferenczi Laszlo Ferenczi
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: