Shiro间歇Subject.getPrincipal

Question

我已经创建了一个JavaEE6项目，目前我正在使用Shiro进行身份验证和授权。使用本文作为参考(通过CDI拦截器使用Shiro进行授权，然后用Arquillian轻松地进行测试)，我将Shiro与CDI集成在一起。除了有时Subject.getPrincipal为null外，一切都很正常。

此外，调查表明，有时我至少有2个Subject.getSession().getId()。

我如何面对这个问题：

1. 使用-> sessionA登录
2. 单击安全链接(pageA) -> ok
3. 尝试在数据库中插入失败的记录。
4. 单击相同的安全链接(pageA) ->失败，查看它生成的不同会话id sessionB的跟踪
5. 刷新和刷新页面(pageA)。在登录sessionA期间获得相同的会话id。

有什么不对的？

我的shiro.ini文件

[main]
saltedJdbcRealm=com.sido.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName=Portal 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled=true

# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt 
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM users WHERE username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM roles a INNER JOIN user_roles b ON a.id=b.role_id INNER JOIN users c ON c.id=b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName=SHA-256
sha256Matcher.hashIterations=1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO 

cacheManager=org.apache.shiro.cache.ehcache.EhCacheManager 
cacheManager.cacheManagerConfigFile=classpath:shiro-ehcache.xml
securityManager.cacheManager=$cacheManager 

shiro.loginUrl = /login.xhtml

[urls]
/login.xhtml = authc
/logout = logout

web.xml

<context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Production</param-value>
</context-param>

<context-param>
    <param-name>primefaces.THEME</param-name>
    <param-value>south-street</param-value>
</context-param>

<!-- Welcome page -->
<welcome-file-list>
    <welcome-file>home.xhtml</welcome-file>
</welcome-file-list>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<!-- Map these files with JSF -->
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

SecurityProducer，一个Singleton，其中我实例化了安全管理器。它应该对整个应用程序都是可用的和唯一的，对吗？

@Singleton
public class SecurityProducer {
    @Inject
    private Logger log;
    private SecurityManager securityManager;

    @PostConstruct
    public void init() {
        final String iniFile = "classpath:shiro.ini";
        log.debug("Initializing Shiro INI SecurityManager using " + iniFile);
        securityManager = new IniSecurityManagerFactory(iniFile).getInstance();
        SecurityUtils.setSecurityManager(securityManager);
    }
    ..
}

在初始化时绑定SecurityManager或Subject (Singleton )并不能解决这个问题。

final String iniFile = "classpath:shiro.ini";
securityManager = new IniSecurityManagerFactory(iniFile).getInstance();
SecurityUtils.setSecurityManager(securityManager);
ThreadContext.bind(SecurityUtils.getSubject()); or ThreadContext.bind(securityManager);

谢谢,

泽苏亚

Answer 1

我想我已经通过在这里配置web.xml基础：http://shiro.apache.org/web.html解决了间歇性会话问题。

目前情况如下：0.xsd“version="3.0">

<!-- Welcome page -->
<welcome-file-list>
    <welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<listener>
    <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>ShiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    <dispatcher>ERROR</dispatcher>
</filter-mapping>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

​

但这真的是解决办法吗？有什么想法吗？

Answer 2

如果要手动构建subject，则应将其绑定到调用ThreadContext.bind(subject)的线程。如果不这样做，下一个调用SecurityUtils.getSubject()将返回新的主题，而不是您以前创建的主题。

例如，在我的应用程序中，我收到了请求中的会话id，并从中创建了一个主题。

​

Subject subject = new Subject.Builder().sessionId(sessionId).buildSubject();
ThreadContext.bind(subject);