I tried to implement this at the generic Shiro security mechanism (within Isis core), but realized that actually it needs to be at a deeper level, ie in this module.
The code I sketched out before abandoning was:
@DomainService(nature = NatureOfService.DOMAIN)
public class SudoServiceSpi implements SudoService.Spi {
@Override
public void runAs(final String username, final List<String> roles) {
try {
final Subject subject = SecurityUtils.getSubject();
if (subject == null) {
return;
}
// can't set runAs if has no current principals
if(!hasPrincipals(subject)) {
return;
}
final SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add(new RunAsPrincipal(username, roles), "sudoRealm");
subject.runAs(principals);
} catch(UnavailableSecurityManagerException ex) {
return;
}
}
private boolean hasPrincipals(final Subject subject) {
return !CollectionUtils.isEmpty(subject.getPrincipals());
}
@Override
public void releaseRunAs() {
try {
final Subject subject = SecurityUtils.getSubject();
if(subject == null) {
return;
}
// can't set runAs if has no current principals
if(!hasPrincipals(subject) || !subject.isRunAs()) {
return;
}
subject.releaseRunAs();
} catch (UnavailableSecurityManagerException ex) {
return;
}
}
}
and also:
public class RunAsPrincipal implements AuthorizationInfo {
private final String username;
private final List<String> roles;
public RunAsPrincipal(final String username, final List<String> roles) {
this.username = username;
this.roles = roles;
}
@Override
public Collection<String> getRoles() {
return roles;
}
@Override
public Collection<String> getStringPermissions() {
return Collections.emptyList();
}
@Override
public Collection<Permission> getObjectPermissions() {
return Collections.emptyList();
}
}
Certainly RunAsPrincipal won't be needed; instead use the PrincipalForApplicationUser that already exists.
Also, will need to decide what to do if the specified user doesn't exist in the user; perhaps fall back on the above generic code (meaning no permissions, of course).
from https://github.com/isisaddons-legacy/isis-module-security/issues/48
As introduced in 1.13.2
I tried to implement this at the generic Shiro security mechanism (within Isis core), but realized that actually it needs to be at a deeper level, ie in this module.
The code I sketched out before abandoning was:
and also:
Certainly RunAsPrincipal won't be needed; instead use the
PrincipalForApplicationUser
that already exists.Also, will need to decide what to do if the specified user doesn't exist in the user; perhaps fall back on the above generic code (meaning no permissions, of course).