Hello everyone, This is probably going to be a long shot without me providing a working example. I'm hoping someone will point out something obvious. Otherwise, I'll try to put together a working example.
I've been trying to get Authorization working (roles, specifically) using annotations, with minimal success. My setup is a web app (Jersey via Jetty) using Guice. My configuration of Shiro follows the same idea as the Guice examples out there (like this one http://stackoverflow.com/questions/5887603/configuring-apache-shiro-with-google-guice-servlet). Everything is configured purely though code, no Ini. I have a GuiceShiroFilter (below) which filters all requests. @Singleton public class GuiceShiroFilter extends AbstractShiroFilter { @Inject public GuiceShiroFilter(WebSecurityManager securityManager, FilterChainResolver filterChainResolver) { setSecurityManager(securityManager); setFilterChainResolver(filterChainResolver); } } And in my Guice configuration, I create a custom WebSecurityManager, like so: @Provides @Singleton public WebSecurityManager provideWebSecurityManager(Realm realm) { return new MyAppWebSecurityManager(realm); } } This hooks up my custom realm with the web security manager. What I'm seeing is when the user requests a url which is annotated with @RequiresRoles("admin"), I get the following exception: Configuration error: No realms have been configured! One or more realms must be present to execute an authorization operation. After a lot of poking around, I can see that SecurityUtils.getSecurityManager() (and indirectly, SecurityUtils.getSubject()) don't have a reference to my custom WebSecurityManager. In fact, they have a DefaultWebSecurityManager instance. So, of course, they don't have a reference to my custom realm. I tried calling SecurityUtils.setSecurityManager in my provideWebSecurityManager method, which correctly sets the security manager in SecurityUtils for that request, but as soon as another request comes in the security manager is back to a DefaultWebSecurityManager again. Help? This has got me stumped. It seems the SecurityManager instance is getting lost somewhere after the first request. Any advice would be greatly appreciated. Thanks, James -- View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6581200.html Sent from the Shiro User mailing list archive at Nabble.com.
