Problems with changing the Strategy

[hennroja]

Hey ! I added two reamls and tried to change the strategy to FirstSuccessfulStrategy in the shiro.ini, but the configuration had no effect. Shiro was still using AtLastOneSuccessfulStrategy.

I few days ago I already wrote a strackoverflow question regarding this issue. No answer so far.

Just by looking on the code I am wondering if we don't overwrite the configuration in the createFilter() function.

WebSecurityManager securityManager = realms.isEmpty()
                        ? shiroEnv.getWebSecurityManager()
                        : new DefaultWebSecurityManager(realms);

At this point the configuration from file is done, right? So shiro already configured the WebSecurityManager and set (in my case) the Authenticators strategy to FirstSuccessfulStrategy.

But then we check if the Collection of realms is Empty and when it is not we create a new DefaultWebSecurityManager which means, as I understand it, our configurations are lost.

Why can't we just use getWebSecurityManager(), cast (if instanceOf) to DefaultWebSecurityManager and use then the setRealms() function.

Thank

[silb]

I originally didn't want to downcast to DefaultWebSecurityManager, and I also didn't consider the use case of merging programmatically created realms with settings in the INI-file.

Your suggestion sounds like a plausible fix.

Another possible fix could be to override org.apache.shiro.web.env.IniWebEnvironment.createWebSecurityManager() somehow.

As a workaround you can simply override org.secnod.dropwizard.shiro.ShiroBundle.createFilter.