Hi,
I'm facing some issues using JSecurity in my project. Authentication works
perfect (JDBC based login, require login for protected URLs), but
authorization is not.
I set up a JdbcRealm, following the Spring sample bundled with JSecurity.
Most of it is unchanged from the sample (I change it to my own URLs, custom
JDBC queries).
When I debug my app and check the authenticated Subject, its securityManager
is using classpath:org/jsecurity/cache/ehcache/ehcache.xml as config file.
The first time I try to check anything involving authorization, I get this:
10:49:21,421 INFO [RealmSecurityManager] No Realms configured. Defaulting
to failsafe PropertiesRealm.
...
10:49:21,546 INFO [EhCacheManager] Using preconfigured EHCache named
[org.jsecurity.realm.text.PropertiesRealm-1-authorization]
10:49:23,687 ERROR [[secureWeb]] Servlet.service() for servlet secureWeb
threw exception
java.util.NoSuchElementException
at java.util.Collections$EmptySet$1.next(Collections.java:2912)
at
java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
at
org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:159)
...
In my JBoss logs, I see that the security manager seems to be created
multiple times (the config file was read multiple times), all of getting
config from classpath:org/jsecurity/cache/ehcache/ehcache.xml, except one,
which loads my config file (classpath:myconfig-ehcache.xml). This is the
Spring config for my securityManager:
<bean id="securityManager"
class="org.jsecurity.web.DefaultWebSecurityManager">
<property name="realm" ref="jdbcRealm"/>
<property name="sessionMode" value="jsecurity"/>
<property name="cacheManager" ref="cacheManager"/>
</bean>
<bean id="cacheManager"
class="org.jsecurity.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" >
<value>classpath:myconfig-ehcache.xml</value>
</property>
</bean>
I believe this bean is not being injected into objects that need security
manager, and they are creating their own default copies, with default
config. For example: if I remove JSecurityFilter completely from web.xml,
one of these securityManager creations with default config is gone.
I also just found about references in web.xml inline ini
(securityManager.cacheManager = $cacheManager), but I couldn't refer to the
Spring managed bean. Do I have to repeat the cacheManager config in this
file (ultimately creating a second securityManager), or I can somehow refer
to the same object created by Spring, or vice versa? I see that there is
some SpringIniWebConfiguration, but I couldn't find how to use it.
Debugging the creation of DefaultWebSecurityManagers, some of these wrong
managers are created in the stack of IniWebConfiguration, so I hope the
Spring version can help me.
Another approach I took: I debugged a hasRole() call to see where things
went wrong, and inside RealmSecurityManager.ensureRealms() no realms were
found, and the default PropertiesRealm was loaded. A resolved bug (SHIRO-66)
says it is caused by a securityManager which is a proxy (I believe it is my
case here, I use proxies, just don't know if the securityManager was proxied
as well). I'd like to avoid using Shiro before 1.0, also because I'm having
problems building Shiro (missing dependencies), and I prefer GA releases.
Can I do some workaround for this?
Additional notes, don't know if somehow relevant:
- my environment: JBoss 4.2.1, JSecurity 0.9, Spring 2.5.6, DataNucleus
Plataform 1.1 (JDO), Java 1.6.
- all my libs and dependencies (Spring, JSecurity, JCaptcha...) are on jboss
(servers libs folder); I did it to reduce deploy size;
- my DAOs and Spring beans (including security manager) are defined in a
parent application, so that the two web projects/contexts that make the
whole application can share the same beans (it works nice AFAIK).
Well, that's a lot of info. Sorry about my previous mail, I hadn't properly
investigated the issue. Hope I can get some help now =)
Guess I said all I knew about my situation. If there is some missing link,
please tell me.
Thanks!
