Hi,
Well, I could solve half the problem. I included
configClassName=org.apache.shiro.spring.SpringIniWebConfiguration and
securityManagerBeanName=securityManager in web.xml and now I can check for
roles. I did it programatically and through tags and it worked nice.
My url filters are not working the way I expected yet. Here is my web.xml
filter definition:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
<init-param>
<param-name>configClassName</param-name>
<param-value>org.apache.shiro.spring.SpringIniWebConfiguration</param-value>
</init-param>
<init-param>
<param-name>securityManagerBeanName</param-name>
<param-value>securityManager</param-value>
</init-param>
<init-param>
<param-name>config</param-name>
<param-value>
[filters]
shiro.loginUrl = /web/login
authc.successUrl = /web/app/home
[urls]
/web/app/**=authc
/web/app/admin/**= roles[ADM]
/web/app/admin/role1/**= roles[ADM_ROLE1]
/web/app/admin/role2/**= roles[ADM_ROLE2]
/web/app/user/**= roles[USER]
/web/app/user/role1/**= roles[USER_ROLE2]
/web/app/user/role2/**= roles[USER_ROLE2]
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/web/*</url-pattern>
</filter-mapping>
Authentication is correctly requested for any /web/app url, but any other
role applies. I can use a ADM user to access a url like /web/app/user/role1
without restrictions. This is the log for the page request:
[org.apache.shiro.web.servlet.ShiroFilter] No security filter chain
configured for the current request. Using default.
And since I'm here, a few questions:
- as Shiro does not handle roles updates (it does not store them back), how
can I invalidate/refresh roles cache for some user or a group of users when
I know it is needed?
- without ehcache (looks like the devs removed them), what's the best
production-oriented cache solution/implementation available?
Thanks again!
On Tue, Jul 7, 2009 at 9:55 PM, mad rug <[email protected]> wrote:
> Hi Les,
>
> I didn't had code problems, I just used JSecurity 0.9 because I always
> avoid to use dev codebase. As I saw that some bug fixes were already on
> Shiro (SHIRO-66), I replaced JSecurity. I did little testing since this
> change, but my issues remain. This is the error calling hasRole():
>
> java.lang.IllegalStateException: Configuration error: No realms have been
> configured! One or more realms must be present to execute an authorization
> operation.
> at
> org.apache.shiro.authz.ModularRealmAuthorizer.assertRealmsConfigured(ModularRealmAuthorizer.java:149)
> at
> org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:308)
> at
> org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:182)
> at
> org.apache.shiro.subject.DelegatingSubject.hasRole(DelegatingSubject.java:228)
> at mypackage.MyController.referenceData(MyController.java:99)
> ...
>
> That's the same error, it was triggered in the same place, just that it now
> throws a new exception.
> And about shiro, was ehcache support removed? I couldn't locate
> EhCacheManager.
>
> Thanks
>
>
> On Tue, Jul 7, 2009 at 5:06 PM, Les Hazlewood <[email protected]>wrote:
>
>> Hi Mad,
>>
>> By your class names, that means you're using JSecurity 0.9.0 final and not
>> using Shiro's codebase yet. Do you have any problems using the Shiro
>> codebase?
>>
>> I ask because it would be much easier for me to play with things with the
>> dev environment I already have set up centered around Shiro.
>>
>> Thoughts?
>>
>> Cheers,
>>
>> Les
>>
>>
>> On Tue, Jul 7, 2009 at 3:15 PM, mad rug <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> I'm facing some issues using JSecurity in my project. Authentication
>>> works perfect (JDBC based login, require login for protected URLs), but
>>> authorization is not.
>>> I set up a JdbcRealm, following the Spring sample bundled with JSecurity.
>>> Most of it is unchanged from the sample (I change it to my own URLs, custom
>>> JDBC queries).
>>>
>>> When I debug my app and check the authenticated Subject, its
>>> securityManager is using classpath:org/jsecurity/cache/ehcache/ehcache.xml
>>> as config file. The first time I try to check anything involving
>>> authorization, I get this:
>>> 10:49:21,421 INFO [RealmSecurityManager] No Realms configured.
>>> Defaulting to failsafe PropertiesRealm.
>>> ...
>>> 10:49:21,546 INFO [EhCacheManager] Using preconfigured EHCache named
>>> [org.jsecurity.realm.text.PropertiesRealm-1-authorization]
>>> 10:49:23,687 ERROR [[secureWeb]] Servlet.service() for servlet secureWeb
>>> threw exception
>>> java.util.NoSuchElementException
>>> at java.util.Collections$EmptySet$1.next(Collections.java:2912)
>>> at
>>> java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
>>> at
>>> org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:159)
>>> ...
>>>
>>> In my JBoss logs, I see that the security manager seems to be created
>>> multiple times (the config file was read multiple times), all of getting
>>> config from classpath:org/jsecurity/cache/ehcache/ehcache.xml, except one,
>>> which loads my config file (classpath:myconfig-ehcache.xml). This is the
>>> Spring config for my securityManager:
>>> <bean id="securityManager"
>>> class="org.jsecurity.web.DefaultWebSecurityManager">
>>> <property name="realm" ref="jdbcRealm"/>
>>> <property name="sessionMode" value="jsecurity"/>
>>> <property name="cacheManager" ref="cacheManager"/>
>>> </bean>
>>> <bean id="cacheManager"
>>> class="org.jsecurity.cache.ehcache.EhCacheManager">
>>> <property name="cacheManagerConfigFile" >
>>> <value>classpath:myconfig-ehcache.xml</value>
>>> </property>
>>> </bean>
>>>
>>> I believe this bean is not being injected into objects that need security
>>> manager, and they are creating their own default copies, with default
>>> config. For example: if I remove JSecurityFilter completely from web.xml,
>>> one of these securityManager creations with default config is gone.
>>> I also just found about references in web.xml inline ini
>>> (securityManager.cacheManager = $cacheManager), but I couldn't refer to the
>>> Spring managed bean. Do I have to repeat the cacheManager config in this
>>> file (ultimately creating a second securityManager), or I can somehow refer
>>> to the same object created by Spring, or vice versa? I see that there is
>>> some SpringIniWebConfiguration, but I couldn't find how to use it.
>>> Debugging the creation of DefaultWebSecurityManagers, some of these wrong
>>> managers are created in the stack of IniWebConfiguration, so I hope the
>>> Spring version can help me.
>>>
>>> Another approach I took: I debugged a hasRole() call to see where things
>>> went wrong, and inside RealmSecurityManager.ensureRealms() no realms were
>>> found, and the default PropertiesRealm was loaded. A resolved bug (SHIRO-66)
>>> says it is caused by a securityManager which is a proxy (I believe it is my
>>> case here, I use proxies, just don't know if the securityManager was proxied
>>> as well). I'd like to avoid using Shiro before 1.0, also because I'm having
>>> problems building Shiro (missing dependencies), and I prefer GA releases.
>>> Can I do some workaround for this?
>>>
>>> Additional notes, don't know if somehow relevant:
>>> - my environment: JBoss 4.2.1, JSecurity 0.9, Spring 2.5.6, DataNucleus
>>> Plataform 1.1 (JDO), Java 1.6.
>>> - all my libs and dependencies (Spring, JSecurity, JCaptcha...) are on
>>> jboss (servers libs folder); I did it to reduce deploy size;
>>> - my DAOs and Spring beans (including security manager) are defined in a
>>> parent application, so that the two web projects/contexts that make the
>>> whole application can share the same beans (it works nice AFAIK).
>>>
>>> Well, that's a lot of info. Sorry about my previous mail, I hadn't
>>> properly investigated the issue. Hope I can get some help now =)
>>> Guess I said all I knew about my situation. If there is some missing
>>> link, please tell me.
>>>
>>> Thanks!
>>>
>>
>>
>
