Les Hazlewood wrote:
Acquiring a Subject by session ID only works if using Shiro native
sessions and only if the session that you're referencing is still
valid (it hasn't stopped or expired).
understood, I am using "shiro" session type.
This implies that the session ID you've acquired came from a previous
interaction with a session, that is:
String sessionID = subject.getSession().getId(); //make this
available for use later somehow
so the sessionId is generated for me so I must keep and maintain my own
mapping of mySessionId->SessionId?
please advise my best approach, I am trying to use Shiro to manage
interactions with XMPP users in 2 distinct ways.
1) pure XMPP client is connecting so I want to use the bare JID (eg
[email protected]) as the principle username, and the full JID
([email protected]/resource)+chatThreadId as the sessionId.
no password exists, and no ip address is available so since you are
changing InetAddress to string I would like to store the full JID in
this field as its the nearest thing I have (is this ok?)
each time I receive a request I need to discover the appropriate subject
by sessionId as would normally be done by any servlet engine etc, but
I really dont follow how I should do this?
oh and
2) I also need a second variation which expects an XMPP connection also,
but the user will be determined and authenticated by Oauth signature.
sessionId in this case would be connectinguserFullJID+oauthUserBareJID
//later:
String sessionId = //get session ID from somewhere
Subject.Builder builder = new Subject.Builder(securityManager);
builder.sessionId(sessionId);
Subject subject = builder.buildSubject();
unfortunately I have no possible way to store a Shiro generated
sessionId on the client side, I can only use what is already available.
XMPP does not support cookies or anything similar (unless the client is
connecting using a custom client app which mine certainly will not be),
so I want to seed the session with my own sessionId, can I do this?
also builder.buildSubject throws an exception if the sessionId doesnt
exist or has expired already? (shouldnt this just return this info
instead? using Exceptions for program flow isn't really good form, and
its not an Exception when its expected).
Don't use the SimpleSession - it is there for EIS implementation
concerns only, and you would only ever access that class directly if
you were writing a SessionDAO.
Finally, this all assumes that the session creation code
(subject.getSession().getId()) and the code that re-builds the subject
(builder.buildSubject()) are using the SAME SessionManager (which is
wrapped by the SecurityManager instance).
yes I have configured everything to use the same sessionManager and
trivially configured with the properties realm for now.
my usecase is really basic I think, its only barely more complex than
your QuickStart.
Is your session creation code and subject building code happening in
two different JVMs or applications?
same jvm, same application.
please advise, I'm not much closer to understanding what I need to do.
Thanks
Jason.
- Les
On Fri, Dec 18, 2009 at 3:55 AM, Jason Eacott <[email protected]> wrote:
Hi all,
I'm having some trouble using Shiro, any help appreciated.
I've created a simple MethodInterceptor that appropriately wraps my code and
tries to setup the Shiro subject & session etc.
I'm in a standalone (not web) spring environment, I dont have any IPaddress
information, but I do have a string I want to use as a SessionId.
I thought duplicating the code from the SecureRemoteInvocationExecutor would
do it, but it doesnt.
SecurityManager securityManager =
this.securityManager != null ? this.securityManager :
SecurityUtils.getSecurityManager();
Subject.Builder builder = new Subject.Builder(securityManager);
builder.sessionId(MySessionId);
Subject subject = builder.buildSubject();//fails here with session doesnt
exist
so I found a thread that hinted at something so I tried this instead:
SecurityManager securityManager =
this.securityManager != null ? this.securityManager :
SecurityUtils.getSecurityManager();
SimpleSession session = new SimpleSession();
session.setId(MySessionId);
Subject subject = new
Subject.Builder(securityManager).session(session).buildSubject();
this works, but when its called again with the same MySessionId the session
is recreated here so nothing sticks.
I'd very much appreciate an example of how this is supposed to be done.
how does the principle get set etc?
thank you.
Jason.
