We don't have web.xml, I forgot to tell that I use Jetty embedded so mine is not the tipical webapp layout. The webservice it is only thought to be used as an api so we configured it programmatically for now. Is there a wey to do the same in my main class?
Lisa On Thu, Jul 9, 2015 at 7:40 PM, Christian Wolfe <[email protected]> wrote: > Have you set up the Shiro Filter in the application's web.xml file? > > On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[email protected]> > wrote: > >> >> Hi all, >> I'm new to Shiro and I would like to integrate it in my jaxrs webservice. >> It has an api to be used by an ajax client. >> >> The web service starts programmatically in this way: >> >> JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean(); >> >> JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider(); >> ObjectMapper m = new ObjectMapper(); >> m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true); >> >> jackson.setMapper(m); >> CrossOriginResourceSharingFilter cors = new >> CrossOriginResourceSharingFilter(); >> sf.setProviders( Arrays.< Object >asList(cors, jackson) ); >> sf.setResourceClasses(Service.class, Users.class ); >> sf.setResourceProvider(Service.class, new SingletonResourceProvider(new >> ServiceImpl(env))); >> sf.setResourceProvider(Users.class, new SingletonResourceProvider(new >> Users(env))); >> >> sf.setAddress(address); >> Server server = sf.create(); >> >> I added >> >> Factory<SecurityManager> shiro = new >> IniSecurityManagerFactory("classpath:shiro.ini"); >> SecurityUtils.setSecurityManager(securityManager); >> to configure shiro >> >> My shiro.ini is now very simple. >> >> [main] >> >> # ------------------------ >> # Database >> >> # Own Realm >> jdbcRealm = service.nexdata.SecurityRealm >> >> # Sha256 >> sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher >> # base64 encoding, not hex in this example: >> sha256Matcher.storedCredentialsHexEncoded = false >> sha256Matcher.hashIterations = 1024 >> >> jdbcRealm.credentialsMatcher = $sha256Matcher >> >> >> [urls] >> >> /users/** = authcBasic >> >> >> and the SecurityRealm implements JdbcRealm and specialize it with my user >> db and works well, I tested it. >> >> Service and Users are two rest apis and I have a status method for >> development >> >> @CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000, >> allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = >> {"X-custom-3", "X-custom-4"}) >> @Path("/service") >> public abstract class CvService { >> ... >> >> @GET >> @Path("/status/") >> public abstract Response status(); // returns if the service is up and >> running >> } >> >> >> >> @CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 300, >> allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = >> {"X-custom-3", "X-custom-4"}) >> @Path("/users") >> public abstract class Users { >> >> @GET >> @Path("/status/") >> public abstract Response status(); >> } >> >> implemented by >> public Response status() >> { >> Subject currentUser = SecurityUtils.getSubject(); >> boolean auth = currentUser.isAuthenticated(); >> if (auth) >> return Response.status(Status.OK).entity("User Service up and >> running!").build(); >> else >> return Response.status(Status.OK).entity("User authentication >> needed!").build(); >> } >> >> Shiro seems to work quite well if I do explicit login and logout, but the >> authBasic filter doesn't seem to work. >> >> I tested it with the chrome extension Advanced Rest Client and putting >> some breakpoints in BasicHttpAuthenticationFilter and the filter is >> completly ignored. >> >> I have the feeling that shiro.ini is not enough in this case and I must >> esplicitly tell the jaxrs server to use shiro filter first but I don't know >> how. >> >> Is it right? Could you help me, please? >> Thank you in advance, >> >> >> Lisa >> >> >> >
