Merge pull request #1514 from boris-petrov/fix-creating-subjects-with…

…-special-subject-factory [#SHIRO-875] Fix creating subjects from a `SubjectFactory` that disables session-creation
apache · Jun 3, 2024 · f49e89f · f49e89f
2 parents b96041a + b2c850f
commit f49e89f
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
@@ -355,7 +355,7 @@ public Subject createSubject(SubjectContext subjectContext) {
         //(this is needed here in case rememberMe principals were resolved and they need to be stored in the
         //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
         //Added in 1.2:
-        if (subjectContext.isSessionCreationEnabled()) {
+        if (context.isSessionCreationEnabled()) {
             save(subject);
         }
 

diff --git a/core/src/test/java/org/apache/shiro/mgt/DefaultSecurityManagerTest.java b/core/src/test/java/org/apache/shiro/mgt/DefaultSecurityManagerTest.java
@@ -29,6 +29,7 @@
 import org.apache.shiro.session.mgt.AbstractValidatingSessionManager;
 import org.apache.shiro.subject.SimplePrincipalCollection;
 import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.SubjectContext;
 import org.apache.shiro.subject.support.DelegatingSubject;
 import org.apache.shiro.util.ThreadContext;
 import org.junit.jupiter.api.AfterEach;
@@ -195,8 +196,29 @@ void testNewSubjectWithoutThreadSecurityManager() {
     @Test
     void testNewSubjectWithoutSessionCreationEnabled() {
         SimplePrincipalCollection principals = new SimplePrincipalCollection("guest", "asd");
+        // this tests that calling `buildSubject` doesn't throw an exception due to session-creation being disabled
         Subject subject = new Subject.Builder().principals(principals).sessionCreationEnabled(false).buildSubject();
 
         assertEquals(subject.getPrincipal(), "guest");
     }
+
+    @Test
+    void testNewSubjectWithSubjectFactoryThatDisablesSessionCreation() {
+        ((DefaultSecurityManager) SecurityUtils.getSecurityManager())
+            .setSubjectFactory(new SessionCreationDisabledSubjectFactory());
+
+        SimplePrincipalCollection principals = new SimplePrincipalCollection("guest", "asd");
+        // this tests that calling `buildSubject` doesn't throw an exception due to session-creation being disabled
+        Subject subject = new Subject.Builder().principals(principals).buildSubject();
+
+        assertEquals(subject.getPrincipal(), "guest");
+    }
+
+    private static final class SessionCreationDisabledSubjectFactory extends DefaultSubjectFactory {
+        @Override
+        public Subject createSubject(SubjectContext context) {
+            context.setSessionCreationEnabled(false);
+            return super.createSubject(context);
+        }
+    }
 }