This line is incorrect: securityManager = org.jsecurity.web.WebRememberMeManager
You've assigned a RememberMeManager, which is definitely not a SecurityManager. Since it does not appear that you are configuring the SecurityManager in any way, you should remove that line which will cause the default web-based SecurityManager to be used. Regards, Les On Mon, Jul 20, 2009 at 11:38 AM, Tcharlie<[email protected]> wrote: > > I did it, this not solve my error: > > Here is my filter definition > > Tcharlie wrote: >> >> <filter> >> <filter-name>JSecurityFilter</filter-name> >> >> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class> >> <init-param> >> <param-name>config</param-name> >> <param-value> >> [main] >> securityManager = org.jsecurity.web.WebRememberMeManager >> realmA = realm.XaKiRealm >> >> [filters] >> authc = >> org.jsecurity.web.filter.authc.PassThruAuthenticationFilter >> authc.successUrl = /jsp/logon.jsp >> authc.loginUrl = /jsp/logon.jsp >> roles.unauthorizedUrl = /jsp/accessdenied.html >> >> [urls] >> /jsp/cardmgmt.jsp = authc, >> perms[urls:/jsp/cardmgmt.*:access] >> /jsp/newscorner.html = authc, >> perms[urls:/jsp/newscorner.html:access] >> /jsp/changepwd.jsp = authc, >> perms[urls:/jsp/changepwd.*:access] >> </param-value> >> </init-param> >> </filter> >> > > My first jsp: > > Tcharlie wrote: >> >> <ul> >> <li> logon.jsp The Logon/Logoff page </li> >> <li> changepwd.jsp The Change Password page </li> >> <li> cardmgmt The Card Management page </li> >> <li> newscorner.html Employee News Corner </li> >> </ul> >> > > My realm: > > Tcharlie wrote: >> >> public class XaKiRealm extends AuthorizingRealm { >> @Override >> protected AuthorizationInfo doGetAuthorizationInfo( >> PrincipalCollection principals) { >> >> if (principals == null) { >> throw new AuthorizationException( >> "Les attributs utilisateurs ne doit >> pas être vide."); >> } >> SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); >> try { >> info.setStringPermissions(PermissionResolver >> .resolvePermissions(((Group) >> principals.asList().get(2)))); >> } catch (NamingException e) { >> e.printStackTrace(); >> } >> return info; >> } >> >> @Override >> protected AuthenticationInfo doGetAuthenticationInfo( >> AuthenticationToken arg0) throws >> AuthenticationException { >> UserPasswordMandatorAuthenticator auth = new >> UserPasswordMandatorAuthenticator(); >> try { >> AuthenticationReply r = auth >> >> .authenticate((UsernamePasswordMandatorToken) arg0); >> return r; >> } catch (UnsupportedCredentialException e) { >> throw new UnsupportedTokenException(e.getMessage()); >> } catch (AccessTimeException e) { >> throw new ExcessiveAttemptsException(e.getMessage()); >> } catch (LockedByAdminException e) { >> throw new LockedAccountException(e.getMessage()); >> } catch (LockedExpiredPasswordException e) { >> throw new ExpiredCredentialsException(e.getMessage()); >> } catch (LockedInvalidPasswordException e) { >> throw new >> IncorrectCredentialsException(e.getMessage()); >> } catch (net.atos.xa.rm.AuthenticationException e) { >> throw new AuthenticationException(e.getMessage()); >> } catch (NamingException e) { >> throw new ConcurrentAccessException(e.getMessage()); >> } catch (UserNameValidationException e) { >> throw new UnknownAccountException(e.getMessage()); >> } >> } >> >> @Override >> public final boolean supports(final AuthenticationToken token) { >> boolean supported = false; >> if >> (token.getClass().equals(UsernamePasswordMandatorToken.class)) { >> supported = true; >> } >> return supported; >> } >> } >> > > and finally my token: > > > Tcharlie wrote: >> >> >> public class UsernamePasswordMandatorToken implements >> InetAuthenticationToken, >> RememberMeAuthenticationToken { >> >> private static final long serialVersionUID = 1L; >> >> // constructeur par defaut >> public UsernamePasswordMandatorToken() { >> rememberMe = false; >> } >> >> // constructeurs avec arguments >> public UsernamePasswordMandatorToken(String username, char password[], >> String mandator) { >> this(username, password, mandator, false, null); >> } >> >> public UsernamePasswordMandatorToken(String username, String password, >> String mandator) { >> this(username, password == null ? null : >> password.toCharArray(), >> mandator, false, null); >> } >> >> public UsernamePasswordMandatorToken(String username, char password[], >> String mandator, InetAddress inetAddress) { >> this(username, password, mandator, false, inetAddress); >> } >> >> public UsernamePasswordMandatorToken(String username, String password, >> String mandator, InetAddress inetAddress) { >> this(username, password == null ? null : >> password.toCharArray(), >> mandator, false, inetAddress); >> } >> >> public UsernamePasswordMandatorToken(String username, char password[], >> String mandator, boolean rememberMe) { >> this(username, password, mandator, rememberMe, null); >> } >> >> public UsernamePasswordMandatorToken(String username, String password, >> String mandator, boolean rememberMe) { >> this(username, password == null ? null : >> password.toCharArray(), >> mandator, rememberMe, null); >> } >> >> // Constructeur effectif >> public UsernamePasswordMandatorToken(String username, char password[], >> String mandator, boolean rememberMe, InetAddress >> inetAddress) { >> this.rememberMe = false; >> this.username = username; >> this.password = password; >> this.mandator = mandator; >> this.rememberMe = rememberMe; >> this.inetAddress = inetAddress; >> } >> >> public UsernamePasswordMandatorToken(String username, String password, >> String mandator, boolean rememberMe, InetAddress >> inetAddress) { >> this(username, password == null ? null : >> password.toCharArray(), >> mandator, rememberMe, inetAddress); >> } >> >> // getters & setters >> public String getUsername() { >> return username; >> } >> >> public void setUsername(String username) { >> this.username = username; >> } >> >> public char[] getPassword() { >> return password; >> } >> >> public void setPassword(char password[]) { >> this.password = password; >> } >> >> public String getMandator() { >> return mandator; >> } >> >> public void setMandator(String mandator) { >> this.mandator = mandator; >> } >> >> public InetAddress getInetAddress() { >> return inetAddress; >> } >> >> public void setInetAddress(InetAddress inetAddress) { >> this.inetAddress = inetAddress; >> } >> >> public boolean isRememberMe() { >> return rememberMe; >> } >> >> public void setRememberMe(boolean rememberMe) { >> this.rememberMe = rememberMe; >> } >> >> // Override: retourne la liste des principals >> public Object getPrincipal() { >> List<String> res = new ArrayList<String>(); >> res.add(getUsername()); >> res.add(getMandator()); >> return res; >> } >> >> // Override: retourne la liste des credentials >> public Object getCredentials() { >> return getPassword(); >> } >> >> // Vide le token >> public void clear() { >> username = null; >> inetAddress = null; >> rememberMe = false; >> if (password != null) { >> for (int i = 0; i < password.length; i++) >> password[i] = '\0'; >> >> password = null; >> } >> mandator = null; >> } >> >> public String toString() { >> StringBuffer sb = new StringBuffer(); >> sb.append(getClass().getName()); >> sb.append(" - "); >> sb.append(username); >> sb.append(", rememberMe=").append(rememberMe); >> if (inetAddress != null) >> sb.append(" (").append(inetAddress).append(")"); >> sb.append("-mandator:"); >> sb.append(mandator); >> return sb.toString(); >> } >> >> private String username; >> private char password[]; >> private boolean rememberMe; >> private InetAddress inetAddress; >> private String mandator; >> } >> > > CardManagement authorization works because it's done via servlet. > But newscorner results in 401 error because it's done via direct link (< A > href >). > > Do you see something going wrong? > > Regards, see you tomorrow (end of work for me^^), Tcharlie > > > > > Les Hazlewood-2 wrote: >> >> If that is the case, you will want to redefine 'authc' to be the >> PassthroughAuthenticationFilter. This will allow the standard 'authc' >> behavior, but requires you to implement your own Form and Form >> controller (which you have already done): >> >> [main] >> authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter >> authc.loginUrl = /path/to/login.jsp >> authc.successUrl = /path/after/successful/login >> >> That should do the trick. >> >> Cheers, >> >> Les >> >> On Mon, Jul 20, 2009 at 11:13 AM, Tcharlie<[email protected]> wrote: >>> >>> >>> >>> Les Hazlewood-2 wrote: >>>> >>>>>> How is does the user authenticate with your application? Do they fill >>>>>> in and submit a form or are you using Basic HTTP Authentication or >>>>>> some other method? >>>>>> >>>>>> >>>>> >>>>> I've got a jsp form to authenticate my users. the link is good because >>>>> if >>>>> my >>>>> user is not authenticated, he is redirected on my login page >>>> >>>> You need to tell the authentication filter what your login url is so >>>> it knows where to redirect if a user is not authenticated: >>>> >>>> [main] >>>> authc.loginUrl = /some/path/to/login.jsp >>>> >>>> Cheers, >>>> >>>> Les >>>> >>>> >>> >>> It's already done and it works fine. >>> >>> I forgot to precise that I can't use the FormAuthenticationFilter (I >>> don't >>> know wich filter you put as default)r, because my authentication token >>> encloses 3 params (username, password and mandator, wich represent the >>> authorisation context (toto may be the hsbc chairman (full application >>> access), but Citybank customer (restricted access)). >>> My realm supports this token but FormAuthenticationFilter throws a >>> listenerstart error if I use it. >>> >>> Unfortunately, the link I have to clic on is not hidden to the >>> unauthorized >>> users resulting an access permitted by ki when I clic on, but a >>> " Etat HTTP 401 - >>> >>> type Rapport d'�tat >>> >>> message >>> >>> description La requ�te n�cessite une authentification HTTP (). >>> Apache Tomcat/6.0.18" >>> >>> Error. >>> I deduce that ki allowed me to pass (I wasn't redirected on login page) >>> and >>> challenged my http Headers. Due to the fact that I don't have the >>> authentication header (I lost it when I clicked on the link), the server >>> doesn't allow me see my page... >>> -- >>> View this message in context: >>> http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289410.html >>> Sent from the Shiro User mailing list archive at Nabble.com. >>> >> >> > > -- > View this message in context: > http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289577.html > Sent from the Shiro User mailing list archive at Nabble.com. >
