[Question] how to ensure child threads have same subject as parent thread

[ewesten]

Search before asking

• I had searched in the issues, including closed issues and found no similar issues.

Question

Hello,

with the change from #2082 we are no longer able to run our multi-threading model as before so that we could not adopt Shiro 2.0.4 or higher.

Essentially our coding relies so far on the fact that we can obtain the principal using

SecurityUtils.getSubject().getPrincipal()

also in child threads launched from a parent thread (typically an HTTP request).

I tried following guidance from https://shiro.apache.org/subject.html#Subject-ThreadAssociation but without success. Even when associating the subject with the Runnable, I am receiving null for the principal now which used to work prior to 2.0.4.

Is there any guidance / workaround how the user context can be made available to child threads?

Regards, Eric

[lprimak]

Hi,

You are on the right track.

In your child threads, you need to use something like the following:

try {
  ThreadContext.bind(securityManager)
  // rest of your code
} finally {
  ThreadContext.remove();
}

you may also do ThreadContext.bind(Subject) but that should already be taken care of as documented in https://shiro.apache.org/subject.html#Subject-ThreadAssociation

Hope this helps.

[ewesten]

Hello,

thanks for the reply, but I am not getting it yet (sorry if I am slow).

Here is my basic coding (attempting to adopt the proposal above).
However it is not working in Shiro 2.0.6. (In 2.0.3 it was working even without bind() and associateWith. )

Runnable task = () -> {
  try {
    ThreadContext.bind(SecurityUtils.getSecurityManager());
    // my code with access control check based on principal
  } finally {
    ThreadContext.remove();
  }
};

Subject subject = SecurityUtils.getSubject();
subject.associateWith(task);
Thread t = new Thread(task, "myworker");
t.start();

Essentially it is not clear to me how to obtain / propagate the correct security manager in the child thread.

Regards, Eric

[lprimak]

Your code above looks like it should work correctly.
How are you setting the security manager in the first place?
Is it a "global" one vs. bound one in your parent thread?
I would crack open the debugger to find out what actually is happening,
since initialization code can have many variations.

[lprimak]

Also, have you tried just doing something like this:

var securityManager = SecurityUtils.getSecurityManager();
Runnable task = () -> {
  try {
    ThreadContext.bind(securityManager);
    // my code with access control check based on principal
  } finally {
    ThreadContext.remove();
  }
};
...

[ewesten]

Hello,

ok, I did some further debugging and found one way which seems to work

SecurityManager securityManager = SecurityUtils.getSecurityManager();
Subject subject = SecurityUtils.getSubject();
Runnable task = () -> {
   try {
      ThreadContext.bind(securityManager);
      ThreadContext.bind(subject);
      // my code with access control check based on principal
    } finally {
      ThreadContext.remove();
    }
};

The problem was that subject.associateWith(task) did not ensure that the subject within the child thread is properly resolved as needed for obtaining the principal. Specifically, there was no session associated with the subject in the child thread.

Can you confirm that this is a valid approach to solve the challenge?

Thanks, Eric

[lprimak]

Yes that's a perfectly valid solution.