isAuthenticated() returns false when the Jetty thread changes

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

isAuthenticated() returns false when the Jetty thread changes

dsf49
I'm just getting started with Shiro. I'm using it in a SparkJava site. I have authentication mostly working, but after turning on trace logging for the ThreadContext class, I'm noticing that the subject is suddenly not authenticated when there's a new thread being used in the Jetty request. I assumed that a subject's state is the same across all threads in the same Jetty instance, but that doesn't seem to be the case here.

I did the Shiro init in the main SparkJava thread:
        Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

And I'm not passing around a SecurityManager instance. My authentication check happens in a before() filter in SparkJava and that's where it will fail when the thread changes.

What I am missing?

Thanks,
Dave
Reply | Threaded
Open this post in threaded view
|

Re: isAuthenticated() returns false when the Jetty thread changes

sreenivas harshith

Hi,

This is the issue with thread context. I had the same issue. Use subject builder to build a subject and don't use securityutils.subject(). In a multi threaded environment there is this issue. Please have a look at the comments where I have found the issue and posted a solution 



On Tue, Mar 21, 2017 at 8:42 AM, dsf49
I'm just getting started with Shiro. I'm using it in a SparkJava site. I have
authentication mostly working, but after turning on trace logging for the
ThreadContext class, I'm noticing that the subject is suddenly not
authenticated when there's a new thread being used in the Jetty request. I
assumed that a subject's state is the same across all threads in the same
Jetty instance, but that doesn't seem to be the case here.

I did the Shiro init in the main SparkJava thread:
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

And I'm not passing around a SecurityManager instance. My authentication
check happens in a before() filter in SparkJava and that's where it will
fail when the thread changes.

What I am missing?

Thanks,
Dave




--
Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: isAuthenticated() returns false when the Jetty thread changes

sreenivas harshith
https://issues.apache.org/jira/browse/SHIRO-613

On Tue, Mar 21, 2017 at 9:27 AM, sreenivas harshith

Hi,

This is the issue with thread context. I had the same issue. Use subject builder to build a subject and don't use securityutils.subject(). In a multi threaded environment there is this issue. Please have a look at the comments where I have found the issue and posted a solution 



On Tue, Mar 21, 2017 at 8:42 AM, dsf49
I'm just getting started with Shiro. I'm using it in a SparkJava site. I have
authentication mostly working, but after turning on trace logging for the
ThreadContext class, I'm noticing that the subject is suddenly not
authenticated when there's a new thread being used in the Jetty request. I
assumed that a subject's state is the same across all threads in the same
Jetty instance, but that doesn't seem to be the case here.

I did the Shiro init in the main SparkJava thread:
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

And I'm not passing around a SecurityManager instance. My authentication
check happens in a before() filter in SparkJava and that's where it will
fail when the thread changes.

What I am missing?

Thanks,
Dave




--
Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: isAuthenticated() returns false when the Jetty thread changes

dsf49
Thanks. I've developed a Jetty session based alternative for now but I'll try your idea soon.

Dave





On Mon, Mar 20, 2017 at 9:04 PM -0700, "sreenivas harshith [via Shiro User]" <[hidden email]> wrote:

https://issues.apache.org/jira/browse/SHIRO-613

On Tue, Mar 21, 2017 at 9:27 AM, sreenivas harshith

Hi,

This is the issue with thread context. I had the same issue. Use subject builder to build a subject and don't use securityutils.subject(). In a multi threaded environment there is this issue. Please have a look at the comments where I have found the issue and posted a solution 



On Tue, Mar 21, 2017 at 8:42 AM, dsf49
I'm just getting started with Shiro. I'm using it in a SparkJava site. I have
authentication mostly working, but after turning on trace logging for the
ThreadContext class, I'm noticing that the subject is suddenly not
authenticated when there's a new thread being used in the Jetty request. I
assumed that a subject's state is the same across all threads in the same
Jetty instance, but that doesn't seem to be the case here.

I did the Shiro init in the main SparkJava thread:
        Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

And I'm not passing around a SecurityManager instance. My authentication
check happens in a before() filter in SparkJava and that's where it will
fail when the thread changes.

What I am missing?

Thanks,
Dave




--
Sent from the Shiro User mailing list archive at Nabble.com.



If you reply to this email, your message will be added to the discussion below:
http://shiro-user.582556.n2.nabble.com/isAuthenticated-returns-false-when-the-Jetty-thread-changes-tp7581554p7581556.html
To unsubscribe from isAuthenticated() returns false when the Jetty thread changes, click here.
NAML