Ok, that is working and I suppose I'm ok with that approach. Now given the
lack of documentation, I am having an issue on how to secure my remote
services.
I have tried putting the @RequiresPermissions("permission2") on the
interface (although I really don't want to create another jar dependency in
my client) and on the implementation on the server yet the
doGetAuthorizationInfo is never being called.
I am under the impression since I am not using web url's and jsp pages that
the org.apache.shiro.spring.web.ShiroFilterFactoryBean isn't really relevant
to me. Is that true? If not how do I specify the method on my interface
where login is?
I have the following in my web xml and all of my remote services are exposed
through /remote
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/remote/*</url-pattern>
</filter-mapping>
my very specific questions are;
Where exactly is the configuration that enables security? Is it in fact in
the org.apache.shiro.spring.web.ShiroFilterFactoryBean?
Where do I need to annotate my methods? In the interface that gets deployed
to the client, therefore requiring another dependency or is annotating the
implementation valid?
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5543116.html
Sent from the Shiro User mailing list archive at Nabble.com.
