Hi, I'm still waiting for some help on this. I tried changing the way these rules are written (more restrictive first, list full requirements list - as authc, roles[X]) but nothing worked. I really don't know what I'm missing.
Any help is welcome! Cheers! On Wed, Jul 8, 2009 at 9:24 AM, mad rug <[email protected]> wrote: > Hi, > > Well, I could solve half the problem. I included > configClassName=org.apache.shiro.spring.SpringIniWebConfiguration and > securityManagerBeanName=securityManager in web.xml and now I can check for > roles. I did it programatically and through tags and it worked nice. > > My url filters are not working the way I expected yet. Here is my web.xml > filter definition: > <filter> > <filter-name>ShiroFilter</filter-name> > > <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> > <init-param> > <param-name>configClassName</param-name> > > <param-value>org.apache.shiro.spring.SpringIniWebConfiguration</param-value> > </init-param> > <init-param> > <param-name>securityManagerBeanName</param-name> > <param-value>securityManager</param-value> > </init-param> > <init-param> > <param-name>config</param-name> > <param-value> > [filters] > shiro.loginUrl = /web/login > authc.successUrl = /web/app/home > > [urls] > /web/app/**=authc > /web/app/admin/**= roles[ADM] > /web/app/admin/role1/**= roles[ADM_ROLE1] > /web/app/admin/role2/**= roles[ADM_ROLE2] > /web/app/user/**= roles[USER] > /web/app/user/role1/**= roles[USER_ROLE2] > /web/app/user/role2/**= roles[USER_ROLE2] > </param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>ShiroFilter</filter-name> > <url-pattern>/web/*</url-pattern> > </filter-mapping> > > Authentication is correctly requested for any /web/app url, but any other > role applies. I can use a ADM user to access a url like /web/app/user/role1 > without restrictions. This is the log for the page request: > [org.apache.shiro.web.servlet.ShiroFilter] No security filter chain > configured for the current request. Using default. > > And since I'm here, a few questions: > - as Shiro does not handle roles updates (it does not store them back), how > can I invalidate/refresh roles cache for some user or a group of users when > I know it is needed? > - without ehcache (looks like the devs removed them), what's the best > production-oriented cache solution/implementation available? > > Thanks again! > > > On Tue, Jul 7, 2009 at 9:55 PM, mad rug <[email protected]> wrote: > >> Hi Les, >> >> I didn't had code problems, I just used JSecurity 0.9 because I always >> avoid to use dev codebase. As I saw that some bug fixes were already on >> Shiro (SHIRO-66), I replaced JSecurity. I did little testing since this >> change, but my issues remain. This is the error calling hasRole(): >> >> java.lang.IllegalStateException: Configuration error: No realms have been >> configured! One or more realms must be present to execute an authorization >> operation. >> at >> org.apache.shiro.authz.ModularRealmAuthorizer.assertRealmsConfigured(ModularRealmAuthorizer.java:149) >> at >> org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:308) >> at >> org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:182) >> at >> org.apache.shiro.subject.DelegatingSubject.hasRole(DelegatingSubject.java:228) >> at mypackage.MyController.referenceData(MyController.java:99) >> ... >> >> That's the same error, it was triggered in the same place, just that it >> now throws a new exception. >> And about shiro, was ehcache support removed? I couldn't locate >> EhCacheManager. >> >> Thanks >> >> >> On Tue, Jul 7, 2009 at 5:06 PM, Les Hazlewood <[email protected]>wrote: >> >>> Hi Mad, >>> >>> By your class names, that means you're using JSecurity 0.9.0 final and >>> not using Shiro's codebase yet. Do you have any problems using the Shiro >>> codebase? >>> >>> I ask because it would be much easier for me to play with things with the >>> dev environment I already have set up centered around Shiro. >>> >>> Thoughts? >>> >>> Cheers, >>> >>> Les >>> >>> >>> On Tue, Jul 7, 2009 at 3:15 PM, mad rug <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> I'm facing some issues using JSecurity in my project. Authentication >>>> works perfect (JDBC based login, require login for protected URLs), but >>>> authorization is not. >>>> I set up a JdbcRealm, following the Spring sample bundled with >>>> JSecurity. Most of it is unchanged from the sample (I change it to my own >>>> URLs, custom JDBC queries). >>>> >>>> When I debug my app and check the authenticated Subject, its >>>> securityManager is using classpath:org/jsecurity/cache/ehcache/ehcache.xml >>>> as config file. The first time I try to check anything involving >>>> authorization, I get this: >>>> 10:49:21,421 INFO [RealmSecurityManager] No Realms configured. >>>> Defaulting to failsafe PropertiesRealm. >>>> ... >>>> 10:49:21,546 INFO [EhCacheManager] Using preconfigured EHCache named >>>> [org.jsecurity.realm.text.PropertiesRealm-1-authorization] >>>> 10:49:23,687 ERROR [[secureWeb]] Servlet.service() for servlet secureWeb >>>> threw exception >>>> java.util.NoSuchElementException >>>> at java.util.Collections$EmptySet$1.next(Collections.java:2912) >>>> at >>>> java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010) >>>> at >>>> org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:159) >>>> ... >>>> >>>> In my JBoss logs, I see that the security manager seems to be created >>>> multiple times (the config file was read multiple times), all of getting >>>> config from classpath:org/jsecurity/cache/ehcache/ehcache.xml, except one, >>>> which loads my config file (classpath:myconfig-ehcache.xml). This is the >>>> Spring config for my securityManager: >>>> <bean id="securityManager" >>>> class="org.jsecurity.web.DefaultWebSecurityManager"> >>>> <property name="realm" ref="jdbcRealm"/> >>>> <property name="sessionMode" value="jsecurity"/> >>>> <property name="cacheManager" ref="cacheManager"/> >>>> </bean> >>>> <bean id="cacheManager" >>>> class="org.jsecurity.cache.ehcache.EhCacheManager"> >>>> <property name="cacheManagerConfigFile" > >>>> <value>classpath:myconfig-ehcache.xml</value> >>>> </property> >>>> </bean> >>>> >>>> I believe this bean is not being injected into objects that need >>>> security manager, and they are creating their own default copies, with >>>> default config. For example: if I remove JSecurityFilter completely from >>>> web.xml, one of these securityManager creations with default config is >>>> gone. >>>> I also just found about references in web.xml inline ini >>>> (securityManager.cacheManager = $cacheManager), but I couldn't refer to the >>>> Spring managed bean. Do I have to repeat the cacheManager config in this >>>> file (ultimately creating a second securityManager), or I can somehow refer >>>> to the same object created by Spring, or vice versa? I see that there is >>>> some SpringIniWebConfiguration, but I couldn't find how to use it. >>>> Debugging the creation of DefaultWebSecurityManagers, some of these >>>> wrong managers are created in the stack of IniWebConfiguration, so I hope >>>> the Spring version can help me. >>>> >>>> Another approach I took: I debugged a hasRole() call to see where things >>>> went wrong, and inside RealmSecurityManager.ensureRealms() no realms were >>>> found, and the default PropertiesRealm was loaded. A resolved bug >>>> (SHIRO-66) >>>> says it is caused by a securityManager which is a proxy (I believe it is my >>>> case here, I use proxies, just don't know if the securityManager was >>>> proxied >>>> as well). I'd like to avoid using Shiro before 1.0, also because I'm having >>>> problems building Shiro (missing dependencies), and I prefer GA releases. >>>> Can I do some workaround for this? >>>> >>>> Additional notes, don't know if somehow relevant: >>>> - my environment: JBoss 4.2.1, JSecurity 0.9, Spring 2.5.6, DataNucleus >>>> Plataform 1.1 (JDO), Java 1.6. >>>> - all my libs and dependencies (Spring, JSecurity, JCaptcha...) are on >>>> jboss (servers libs folder); I did it to reduce deploy size; >>>> - my DAOs and Spring beans (including security manager) are defined in a >>>> parent application, so that the two web projects/contexts that make the >>>> whole application can share the same beans (it works nice AFAIK). >>>> >>>> Well, that's a lot of info. Sorry about my previous mail, I hadn't >>>> properly investigated the issue. Hope I can get some help now =) >>>> Guess I said all I knew about my situation. If there is some missing >>>> link, please tell me. >>>> >>>> Thanks! >>>> >>> >>> >> >
