Hi Laszlo, I think I'm going to have to defer this question to Jared Bunting - he wrote the google Guice integration in Shiro. Because I don't use Guice, I'm afraid I can't be much help there. Hopefully he can respond when he's available.
Thanks for the Jira issue! -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Sat, May 4, 2013 at 1:52 PM, Laszlo Ferenczi <[email protected]> wrote: > Created: > https://issues.apache.org/jira/browse/SHIRO-435 > > Pretty much a copy & paste of my email, pls feel free to adjust it or tell me > what to adjust. > > Thanks for the offer to help, I think I'm gonna use it :) > > First question: > > One (very) confusing area of the guice integration code is how the filters > are set up in the web module. Can you please explain where are these filter > statements are supposed to be stored and processed ? (I'm not looking for an > explanation of the current code, but rather wanted to understand the > underlying shiro bits) > > For example take the following statement: > addFilterChain("/app/**", AUTHC); > > > - Which shiro class is responsible for storing this information ? > - What is the relation of that class to the SecurityManager ? > - Which class processes these statements ? > > Sorry for the basic question, any pointers would be appreciated. After having > some clue I can debug the rest. > > Thanks in advance ! > > -- > L > > > -- > L > > > On Saturday, May 4, 2013 at 10:32 PM, Les Hazlewood wrote: > >> Sounds good - feel free to ask any questions and we'll help out as >> best as we can (given time restrictions due to work, etc). >> >> Cheers, >> -- >> Les Hazlewood | @lhazlewood >> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 >> >> >> On Sat, May 4, 2013 at 1:30 PM, Laszlo Ferenczi <[email protected] >> (mailto:[email protected])> wrote: >> > Hi Les, >> > >> > Sure, no problem. (assuming i can register to use jira) >> > >> > For the patch - actually tried it. The thing is that I only use shiro for >> > a week and I don't really feel very confident to touch it. Still a lot to >> > digest. >> > >> > -- >> > L >> > >> > >> > -- >> > L >> > >> > >> > On Saturday, May 4, 2013 at 9:32 PM, Les Hazlewood wrote: >> > >> > > Hi Laszlo, >> > > >> > > Could you please open a Jira issue for this? It will be lost unless >> > > captured in Jira. Also, if possible, could you please provide a patch >> > > for this fix? (patches usually help us fix things faster). >> > > >> > > Thanks, >> > > >> > > -- >> > > Les Hazlewood | @lhazlewood >> > > CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 >> > > >> > > On Thu, May 2, 2013 at 4:53 AM, Laszlo Ferenczi <[email protected] >> > > (mailto:[email protected])> wrote: >> > > > Hi, >> > > > >> > > > While integrating Shiro to our guice based webapp I've noticed >> > > > something strange. The module setup is pretty much the same as the >> > > > example in the Guice page of Shiro's documentation. Only extra code is >> > > > that I'm exposing the WebSecurityManager like this: >> > > > >> > > > public class AuthModule extends ShiroWebModule { >> > > > >> > > > public AuthModule(ServletContext servletContext) { >> > > > super(servletContext); >> > > > } >> > > > >> > > > @Override >> > > > @SuppressWarnings("unchecked") >> > > > protected void configureShiroWeb() { >> > > > IniRealm iniRealm = new >> > > > IniRealm(Ini.fromResourcePath("classpath:shiro.ini")); >> > > > bindRealm().toInstance(iniRealm); >> > > > expose(WebSecurityManager.class); >> > > > } >> > > > } >> > > > >> > > > A guice injected SecurityManager instance is not the same as the >> > > > cached static SecurityManager in SecurityUtils. >> > > > >> > > > @Path("/Ping") >> > > > @Singleton >> > > > public class PingResource { >> > > > @Inject >> > > > SecurityManager sec; >> > > > >> > > > @Inject >> > > > WebSecurityManager websec; >> > > > >> > > > @GET >> > > > public void ping() { >> > > > SecurityManager man = SecurityUtils.getSecurityManager(); >> > > > >> > > > assert(man == websec); >> > > > assert(man == sec); >> > > > } >> > > > } >> > > > >> > > > First assert passes, second fails. Debugger confirms that there are 2 >> > > > instances in memory, both of them are of type >> > > > DefaultWebSecurityManager but only the WebSecurityManager instance >> > > > works. Any meaningful operation on "sec" will fail (like an >> > > > authorization check). >> > > > >> > > > I think the problem might be the double binding of SecurityManager(s). >> > > > One is bound in ShiroModule another is in ShiroWebModule: >> > > > >> > > > in ShiroModule: >> > > > >> > > > public void configure() { >> > > > // setup security manager >> > > > bindSecurityManager(bind(SecurityManager.class)); >> > > > >> > > > in ShiroWebModule: >> > > > >> > > > protected final void configureShiro() { >> > > > .... >> > > > bindWebSecurityManager(bind(WebSecurityManager.class)); >> > > > >> > > > Both of these methods are running at init time, hence the duplicated >> > > > singletons. >> > > > >> > > > It might be better if ShiroWebModule would overrinde the standard >> > > > configure() method to avoid this double-binding. >> > > > Is it possible to get a fix for this please ? >> > > > >> > > > Thanks in advance ! >> > > > >> > > > Best regards, >> > > > Laszlo >> > > >> > >> > > >
