> It worked fine with Shiro 1.1. With Shiro 1.2, searching through the forum,
> I saw a similar issue and changed the method to use WebSubject:
>
> public Subject getSubjectByLogin(final String login) {
> PrincipalCollection principals = new
> SimplePrincipalCollection(login,
> REALM_NAME);
> final FacesContext faces = FacesContext.getCurrentInstance();
>
> HttpServletResponse resp =
> (HttpServletResponse)faces.getExternalContext().getResponse();
> HttpServletRequest reqs =
> (HttpServletRequest)faces.getExternalContext().getRequest();
>
> WebSubject.Builder b = new WebSubject.Builder(reqs, resp);
> return b.principals(principals).buildSubject();
> }
>
> This worked better but it has the side effect of changing the Subject object
> of the logged in user to the one was being checked. The effect is that any
> subsequent click takes me to a accessDenied page because the changed subject
> has lesser privledges.
Unless you're manipulating thread state, this cannot happen by using
the Builder alone.
Building a subject (i.e. builder.buildSubject();) does not change the
current user - it only creates a Subject instance. The Subject
instance returned from .buildSubject() is definitely usable, but it is
not bound to the current thread, and it is not the same as what is
returned from SecurityUtils.getSubject();
> So... can you comment on how to retrieve the role of an arbitrary user?
Strictly speaking, Shiro does not have APIs to ad-hoc query for
information for arbitrary users. This is because querying for such
information is *very* application and datasource specific. It might
be a goal of the project to create such an abstraction API at a later
date, but that is currently not in scope.
By manually creating subject instances for known users and relying on
the back-end authorization query that goes through the Realm(s), you
get close to your desired behavior I think, which should work pretty
well.
Cheers,
Les
