0 Replies Latest reply on Jul 30, 2013 6:58 AM by lekkie_lomotayo

    Camel Shiro appears not to be thread safe

    lekkie_lomotayo
    lekkie_lomotayo Jul 30, 2013 6:58 AM

      Hi,

       

      This is the second time this is happening to me. I have decided to pay a closer attention this time. It appears sometimes when doGetAuthorizationInfo(PrincipalCollection principals) in the Authorizing realm is called the UsernamePasswordToken passed is that of another user.

       

      The trace below explains what I am trying to get at:

       

      fetching List from cache..

      fetching List from cache..

       

      roles for user is/are ..

      permissions for user is/are iswapi:service1:*, iswapi:service2:*..

       

      Those are print outs from the custom implementation of the AuthorizingRealm.

       

      Basically, I get the principals:

       

      String user = (String) getAvailablePrincipal(principals);

       

      and I fetch the roles for that user (which prints out the >>> fetching List ..... line). Surprisingly, the user being printed is user1, when in reality the user that made the call is user2.

       

      The question is, why is getAvailablePrincipal(principals) returning user1 instead of user2? Is that the right call to make to know the current owner/user of that context? I believe getAvailablePrincipal(principals) should return the user in the SHIRO_SECURITY_TOKEN header, but this is not happening.

       

      I will appreciate if someone can throw more light into how this works.

       

      Regards.

      • 49 Views
      • Tags: