Hello everyone,
I'm currently evaluating Security Frameworks for my company. We are
developing a full JEE 6 Application.
So we have a web and ejb project. The Web project is JSF based.
So far Shiro looks really promising in comparison of plain JAAS or jGuard.
But I have some additional questions:
1.
I want to use a own Login implementation to stay in the JSF universum. I've
read in the manual, that for this case I should use
org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter. I tried do
set it wth this configuration:
ownFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
ownFilter.loginUrl = /login.jsf
Is this correct? Because ownFilter.loginUrl = /login.jsf does not work. I
get directed to login.jsp everytime.
If I use authc.loginUrl = /login.jsf it works.
2. My JSF Bean which does the login and logout looks like this:
@Named
@SessionScoped
public class userBean implements Serializable {
private Subject currentUser = SecurityUtils.getSubject();
private String name;
private String password;
public String login() {
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(name,
password);
try {
currentUser.login(token);
return "index.jsf?faces-redirect=true";
} catch (UnknownAccountException uae) {
FacesContext.getCurrentInstance().addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "User name does not exist",
null));
} catch (IncorrectCredentialsException ice) {
FacesContext.getCurrentInstance().addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Password is wrong!", null));
} catch (AuthenticationException lae) {
FacesContext.getCurrentInstance().addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Error during Login", null));
}
}
return null;
}
public String logout() {
currentUser = SecurityUtils.getSubject();
currentUser.logout();
return "login.jsf?faces-redirect=true";
}
//getter setters...
}
The Login does work but is this the correct way to do it?
3. What would be the correct way to use Shiro in an EJB Project?
My goal is to login a user in the web project over a jdbc or ldap realm. But
of course the important methods are in the ejb container and need to be
protected.
- So how do I use Shiro in the EJB Container?
- Implement the realm in the ejb Project and access it in the web and the
ejb container?
- Are Shiro web libraries needed in an EJB Project?
So I really hope someone can answer me my questions because i really would
like to use shiro in our project but currently I'm a little bit stuck.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Questions-after-first-steps-with-Shiro-tp5525922p5525922.html
Sent from the Shiro User mailing list archive at Nabble.com.
