So the previous email dealt with issues starting the spring-sample in
ki's svn tree.
Concerning my original use case:
One detail I forgot to mention was that my client grails app ALSO has
jsecurity/ki users/roles separate from the server. The idea is that
users login to the client grails app using the client's users/roles, and
the client grails app itself would authenticate to the server against
the server's users/roles. The authentication on the server in this case
is only used to authenticate RMI clients. Do you see any issues with
this setup?
Also, in my setup, grails/spring injects the remote proxy stub that's
been configured to proxy the given interface (in grails remoting plugin,
this is a remote Service).
So I'm curious, do I just do this on the client?:
class SomeClass {
def remoteService (dependency injected remote proxy)
def callRemoteMethod() {
Subject subject = SecurityUtils.getSubject()
subject.login(...)
remoteService.someMethod()
....
}
}
If that's the case, given that I have jsecurity user/roles on the client
and the server as well, does my call to getSubject give me a remote
Subject or a local Subject? If it's local, then a call to login is
going to try to authenticate against the client's user/roles which is
not what I need. If it's remote, does this affect my client's local
user/roles queries as well?
Clearly, I'm still confused. I'm trying to get this working so that I
can contribute it back to the grails remoting plugin. (ie if you
install grails, jsecurity/ki plugin, and remoting plugin you should have
the option to have secured httpinvoker RMI).
Thanks for your help so far,
~Justin
Justin Riley wrote:
> Hi Les,
>
> Thanks for your reply, it has helped to clarify some things and I'm
> currently looking at the sample spring application's code.
>
> I decided to use a svn checkout of the latest ki code and built the code
> and examples using mvn clean install.
>
> I took the war generated from spring-sample and dumped it into tomcat's
> webapp directory, started tomcat, and now I have the server running
> successfully at http://localhost:8080/ki-spring/.
>
> I got as far as logging in and clicking the jnlp to launch the web start
> demo...however, the libraries it needs are missing from the war'd spring
> sample and so it failed.
>
> So, I decided to go back to command line and run the gui myself by
> specifying classpath and -Dki.session.id=whatever-server-said, however,
> I'm getting this error:
>
> Exception in thread "main"
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'webStartView' defined in class path resource
> [webstart.spring.xml]: Invocation of init method failed; nested
> exception is java.lang.IllegalStateException: No SecurityManager
> accessible to this method, either bound to the
> org.apache.ki.util.ThreadContext or as a vm static singleton. See the
> org.apache.ki.SecurityUtils.getSubject() method JavaDoc for an
> explanation of expected environment configuration.
>
> Any ideas?
>
> Thanks!
>
> ~Justin
>
>
> Les Hazlewood-2 (via Nabble) wrote:
>> Hi Justin,
>>
>> You're pretty close - you don't pass the username/password along with
>> each remoting invocation. It works just like a normal user account.
>>
>> For example, you get the Subject, then you call
>> login(AuthenticationToken), and once successful, you continue to use
>> that subject for further invocations. As long as the session id goes
>> along with every remote invocation, the server side can associate the
>> request with the correct user.
>>
>> We have a spring sample application here:
>> https://svn.apache.org/repos/asf/incubator/jsecurity/trunk/samples/spring/
>>
>> It uses a Java WebStart Swing UI that acts as the remote client, but
>> works in essense like your remote grails app. Check that out and see if
>> that helps. Feel free to ask more questions.
>>
>> Cheers,
>>
>> Les
>>
>> On Thu, May 14, 2009 at 2:54 PM, jtriley <justin.t.ri...@...
>> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2907871&i=0>> wrote:
>>
>>
>> I'm curious if anyone could shed some light on how to do the following:
>>
>> I have two grails apps that I've connected via spring's httpinvoker
>> via the
>> grails remoting plugin. I have jsecurity installed on the remote
>> side with a
>> few users/roles. I'd like to create a user for the client grails app to
>> authenticate with so that I can rest assure that only those apps
>> with the
>> proper credentials can use the server's remote procedures.
>>
>> Basically, anytime my client grails app connects to the remote
>> grails app
>> via spring's httpinvoker, I'd like for the httpinvoker bean to pass
>> along a
>> username/password, obtain a session, and then carry that session for
>> future
>> remote procedure calls (just like in a browser). Otherwise, any
>> unauthenticated calls to the remote grails app's remote procedures
>> should
>> fail.
>>
>> So, in researching this, it appears that jsecurity has a
>> org.jsecurity.spring.remoting package that contains the following
>> classes:
>>
>> SecureRemoteInvocationExecutor (server side)
>> SecureRemoteInvocationFactory (client side)
>>
>> Looking in at the guts of the remoting plugin I have determined that
>> org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter
>> is used
>> on the remote side and
>> org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean
>> is used
>> for the client side.
>>
>> Looking at these classes I see that I can set a property
>> "remoteInvocationExecutor" on the enclosing beans that points to the
>> classes
>> in org.jsecurity.spring.remoting
>>
>> What I'm confused about at this point is how I pass in the
>> username/password
>> from the client-side and I'm also wondering if there's anything to
>> do on the
>> server side?
>>
>> Of course, I could be totally off with all of this and would certainly
>> appreciate someone setting me straight on these issues.
>>
>> Thanks!
>>
>> ~jtriley
>> --
>> View this message in context:
>>
>> http://n2.nabble.com/integrating-jsecurity-ki-auth-with-spring%27s-httpinvoker-tp2898395p2898395.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> This email is a reply to your post @
>> http://n2.nabble.com/integrating-jsecurity-ki-auth-with-spring%27s-httpinvoker-tp2898395p2907871.html
>> You can reply by email or by visting the link above.
>>
>
--
View this message in context:
http://n2.nabble.com/integrating-jsecurity-ki-auth-with-spring%27s-httpinvoker-tp2898395p2936063.html
Sent from the JSecurity User mailing list archive at Nabble.com.
