Add information to the subject on apache shiro

Question

Im using apache shiro. When i want to know if the user have permissions and roles i use SecutiryUtils.getSubject(). I like to know how to add more information to the subject like email, primary key and any other business information that i need so i can retrieve that information when necessary.

This is my shiro.ini:

[main]
ds = org.apache.shiro.jndi.JndiObjectFactory   
ds.requiredType = javax.sql.DataSource  
ds.resourceName = java:/comp/env/jdbc/myDS

# JDBC realm config  
jdbcRealm = com.mycompany.JdbcRealmImpl
jdbcRealm.permissionsLookupEnabled = true 
jdbcRealm.authenticationQuery = SELECT password FROM user WHERE username = ? AND status = 1
jdbcRealm.dataSource = $ds

sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
jdbcRealm.credentialsMatcher = $sha256Matcher

[urls]
/logout = logout
/** = authcBasic

This is my JdbcRealm

public class JdbcRealmImpl extends JdbcRealm {

    public JdbcRealmImpl() {
        super();
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            final AuthenticationToken token) throws AuthenticationException {

        final AuthenticationInfo info = super.doGetAuthenticationInfo(token);    

        // create a user to test
        final User user = new User();
        user.setId(11111);

        return new SimpleAuthenticationInfo(user, info.getCredentials(),
                getName());
    }

}

And here is the code where i try to retrieve the user info.

    final Subject currentUser = SecurityUtils.getSubject();
    final User user = (User) currentUser.getPrincipal();
    // null
    System.out.println(user);

Look like the user isn't authenticated. What is the outcome of SecurityUtils.getSubject().isAuthenticated() in the piece of code? — Wouter, Aug 28 '14 at 06:37
Somehow is working, i think it was a cache that have in postman and it wasnt executing doGetAuthenticationInfo. Tnks for the help. — Tiago Wanke Marques, Aug 28 '14 at 14:19

score 0 · Answer 1 · answered Aug 27 '14 at 06:26

0

You should just put that in a database and retrieve it using the Subjects username (for example an emailaddress).

answered Aug 27 '14 at 06:26

Wouter

3,976
2
31
50

I try to use [this aproach](http://stackoverflow.com/a/17361386/3864677) but when i try to retrieve the principal it comes null. – Tiago Wanke Marques Aug 27 '14 at 19:09
Share the code and configuration you are using if you want it analyzed – Wouter Aug 27 '14 at 19:15
@Wouter According to your answer, does that mean that Shiro doesn't support exposing information attached to a Subject? Loading more information from the database after login implies that two accesses to the database will be performed everytime. – manash Mar 01 '16 at 14:34
@MickaelMarrache If you want to retrieve data for a subject multiple times without hitting the database, you could store it on the user Session object. http://shiro.apache.org/session-management.html – Wouter Mar 01 '16 at 14:40
2

@Wouter The user information is loaded by one or more Realm. I would like non-security related information along with security information (e.g password). At this stage (i.e. in the Realm), the session can't be accessed (at least not with the methods defined by the AuthorizingRealm interface). Therefore, I finally found a solution. The principal type is Object. I guess Shiro expects us to use our specific class. I tested and it works. Simply pass your custom user instance as principal to the returned AuthenticationInfo instance. – manash Mar 01 '16 at 14:55

Add information to the subject on apache shiro

1 Answers1