shiro will do most of what you have written out of the box with a little configuration, rather than code.
*firstly*, i think you can drop your dao class and put it into the shiro.ini [main] ds = com.mysql.jdbc.Driver ds.serverName = localhost ds.user = user ds.password = password ds.databaseName = db_name jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.dataSource = $ds jdbcRealm.permissionsLookupEnabled = true jdbcRealm.authenticationQuery = "SELECT password FROM users WHERE user_name = ?" jdbcRealm.userRolesQuery = "SELECT role_name FROM user_rolesWHERE user_name = ?" jdbcRealm.permissionsQuery = "SELECT permission FROM roles_permissions WHERE role_name = ?" *secondly*, use a PassThruAuthenticationFilter<http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.html>that will pass the credentials to your UsersResetService path. to do this you need add this to your shino.ini [main] authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter authc.loginUrl = /login/ [urls] /login/ = authc *thirdly, *simplify your UsersRestService class to perform the login via shiro. @POST @Path("/login/") @Consumes("application/json") public Response login(LoginRequest login) throws Exception { try { Subject currentUser = SecurityUtils.getSubject(); currentUser.login(new UsernamePasswordToken(login.getUsername(), login.getPassword(), login.getRememberMe())); return Response.ok(true).build(); } catch (AuthenticationException e) { return Response.status(Response.Status.UNAUTHORIZED).entity("Bad Credentials").build(); } } *lastly*, this isn't anyway RESTful, but that is another conversation..... On 19 March 2014 02:55, onelazyguy <[email protected]> wrote: > Thank Dominic, > I have not try your approach yet, but this is what I have: > > *shiro.ini* > --------- > [main] > jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm > jdbcRealm.permissionsLookupEnabled = true > ds = com.le.viet.db.HookShiroWithDB > jdbcRealm.dataSource=$ds > securityManager.realms = $jdbcRealm > > *UserTblDAO.java* (Class A) > ----------------------------------- > public boolean isLoginSuccess(UserToJavaToJson loginUser){ > String username = loginUser.getUser(); > String password = loginUser.getPass(); > > Subject subject = userAuthentication(username, password); > > if (subject != null && subject.isAuthenticated()) { > logger.debug("successfull login"); > return true; > } else { > logger.debug("Failed log in"); > return false; > } > } > > public boolean isLoginSuccess(UserToJavaToJson loginUser){ > String username = loginUser.getUser(); > String password = loginUser.getPass(); > Subject subject = userAuthentication(username, password); > > if (subject != null && subject.isAuthenticated()) { > logger.debug("successfull login"); > return true; > } else { > logger.debug("Failed log in"); > return false; > } > } > > public Subject userAuthentication(String username, String pass) { > Subject currentUser = null; > try { > Factory<SecurityManager> factory = new > IniSecurityManagerFactory("classpath:shiro.ini"); > SecurityManager securityManager = factory.getInstance(); > > JdbcRealm realm = (JdbcRealm) ((IniSecurityManagerFactory) > factory).getBeans().get("jdbcRealm"); > > realm.setAuthenticationQuery("SELECT password FROM > user_tbl WHERE > username=?"); > realm.setUserRolesQuery("SELECT role FROM user_tbl WHERE > username=?"); > > realm.setPermissionsQuery("SELECT permission FROM user_tbl > WHERE > username=?"); > realm.setPermissionsLookupEnabled(true); > > SecurityUtils.setSecurityManager(securityManager); > > currentUser = SecurityUtils.getSubject(); > > //*this is where I created the session* > Session session = currentUser.getSession(true); > session.setAttribute("currentUser", username); > String currentUserValue = (String) > session.getAttribute("currentUser"); > > if (currentUserValue.equals(username)) { > logger.debug("current logged in user is: [" + > currentUserValue + "]"); > } > > if (!currentUser.isAuthenticated()) { > UsernamePasswordToken token = new > UsernamePasswordToken(username, pass); > //token.setRememberMe(true); > currentUser.login(token); > } > > Subject subject = SecurityUtils.getSubject(); > if (subject.hasRole("administrator")) { > logger.debug("has role administrator"); > } else { > logger.debug("has no role"); > } > } catch (Exception e) { > logger.debug("Authentication with shiro failed: \n" + e); > } > return currentUser; > } > > *UsersRestService.java* (Class B) this is my rest endpoint > ---------------------------------------------------------------- > @POST > @Path("/login/{usernamnpassparam}") > @Consumes("application/json") > public boolean login(@Context HttpServletRequest req, String > usernamnpassparam){ > > boolean isLoginSuccess = false; > logger.debug("json object: " + usernamnpassparam); > > ObjectMapper mapper = new ObjectMapper(); > mapper.setVisibility(JsonMethod.FIELD, Visibility.ANY); > > mapper.configure(DeserializationConfig.Feature.FAIL_ON_UNKNOWN_PROPERTIES, > false); > > UserToJavaToJson loginUser = null; > try { > loginUser = mapper.readValue(usernamnpassparam, > UserToJavaToJson.class); > logger.debug("login user: " + loginUser.getUser() + " > pass: " + > loginUser.getPass()); > > UserTblDAO userTblDAO = new UserTblDAO(); > isLoginSuccess = userTblDAO.isLoginSuccess(loginUser); > > //*retrieve user session such as username and role etc but > currentUser is > returning null* > //*I am trying to get the session that I set from > UserTblDAO.java class here* > HttpSession session = req.getSession(); > String currentUser = (String) > session.getAttribute("currentUser"); > > logger.debug("LOGGED IN AS: " + currentUser); > } catch (JsonParseException e) { > e.printStackTrace(); > } catch (JsonMappingException e) { > e.printStackTrace(); > } catch (IOException e) { > e.printStackTrace(); > } > return isLoginSuccess; > } > > flow of the above code: > 1. login restful service method calls isLoginSuccess method of > UserTblDAO.java from UsersRestService.java > 2. isLoginSuccess will then calls userAuthentication and passing in > username > and password. > 3. userAuthentication will do the authentication and create a session and > return it to login restful service method call > 4. from here, I test to see if I can printout the currentUser that was > created during session creation. > 5. currentUser always print out as null > > I don't think I have my shiro.ini configured correct. > > Can you help me out? I am very new to shiro as well as Jersey RESTful api. > I > am learning as I go. > Thank you for your time! > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/How-to-get-the-user-session-using-apache-shiro-with-jersey-RESTful-tp7579771p7579776.html > Sent from the Shiro User mailing list archive at Nabble.com. >
