Merge pull request #1407 from boris-petrov/fix-creating-subjects-with-disabled-session-creation
[#SHIRO-875] Fix creating subjects with disabled session-creation
diff --git a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
index 9912f6a..6674ddb 100644
--- a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
+++ b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
@@ -355,7 +355,9 @@
//(this is needed here in case rememberMe principals were resolved and they need to be stored in the
//session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
//Added in 1.2:
- save(subject);
+ if (subjectContext.isSessionCreationEnabled()) {
+ save(subject);
+ }
return subject;
}
diff --git a/core/src/test/java/org/apache/shiro/mgt/DefaultSecurityManagerTest.java b/core/src/test/java/org/apache/shiro/mgt/DefaultSecurityManagerTest.java
index 1628eb1..161e8db 100644
--- a/core/src/test/java/org/apache/shiro/mgt/DefaultSecurityManagerTest.java
+++ b/core/src/test/java/org/apache/shiro/mgt/DefaultSecurityManagerTest.java
@@ -27,6 +27,7 @@
import org.apache.shiro.session.ExpiredSessionException;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.AbstractValidatingSessionManager;
+import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.support.DelegatingSubject;
import org.apache.shiro.util.ThreadContext;
@@ -187,4 +188,12 @@
subject.login(token);
assertEquals(sm, subject.getSecurityManager());
}
+
+ @Test
+ void testNewSubjectWithoutSessionCreationEnabled() {
+ SimplePrincipalCollection principals = new SimplePrincipalCollection("guest", "asd");
+ Subject subject = new Subject.Builder().principals(principals).sessionCreationEnabled(false).buildSubject();
+
+ assertEquals(subject.getPrincipal(), "guest");
+ }
}