[jira] [Commented] (SHIRO-372) provide some integration with wss4j

[Romain Manni-Bucau (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SHIRO-372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13409225#comment-13409225
 ] 

Romain Manni-Bucau commented on SHIRO-372:
------------------------------------------

The shiro validator proposed in the zip needs the clear password on the server 
side, to avoid it the following implementation is fine:


import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.validate.UsernameTokenValidator;

public class ShiroValidator extends UsernameTokenValidator {
    @Override
    protected void verifyPlaintextPassword(final UsernameToken usernameToken, 
RequestData data) throws WSSecurityException {
        final Subject subject = SecurityUtils.getSubject();
        try {
            login(subject, usernameToken.getName(), 
usernameToken.getPassword());
            logout(subject);
        } catch (AuthenticationException ae) {
            throw new WSSecurityException("can't log '" + 
usernameToken.getName() + "'");
        }

    }

    protected void login(final Subject subject, final String user, final String 
password) {
        if (subject.isAuthenticated()) {
            subject.logout();
        }

        subject.login(new UsernamePasswordToken(user, password.toCharArray()));
    }

    protected void logout(final Subject subject) {
        assert subject.isAuthenticated();
        // defined to be overridable if necessary, we should be able to call 
logout here
        // but often we want permission later in the same call
        // so for performances we don't call logout immediately
    }
}

                
> provide some integration with wss4j
> -----------------------------------
>
>                 Key: SHIRO-372
>                 URL: https://issues.apache.org/jira/browse/SHIRO-372
>             Project: Shiro
>          Issue Type: Improvement
>    Affects Versions: 1.2.0
>            Reporter: Romain Manni-Bucau
>         Attachments: shiro-wss4j.zip
>
>
> A simple way to integrate shiro with wss4j is to extend the 
> UsernameTokenValidator and add a login.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira