I'm sorry to get back: I have tried everything to apply your useful suggestion but I think I'm in a slightly different situation or I'm missing something again. If I start everything directly launching a jetty server maybe I see something work, but as you can see from my previous code I'm using cxf to manage cors and some other things and I could not find a way to set a servlet context or a filter on JAXRSServerFactoryBean that wraps the server in my case. Thank you again,
Lisa On Thu, Jul 9, 2015 at 7:51 PM, Christian Wolfe <[email protected]> wrote: > This page in the Shiro docs explains how to configure filters when using > web.xml - http://shiro.apache.org/web.html. All of that can be done > programatically instead. > > You should be able to create a ServletContext object and add the filter to > it (as well as any configuration properties for the filter). Then you add > the ServletContext object to the Server object you created, and then start > the server. > > This Stack Overflow link shows the basic idea of how to do create a > ServletContext object - > http://stackoverflow.com/questions/19530806/java-jetty-how-to-add-filter-to-embedded-jetty > > On Thu, Jul 9, 2015 at 1:46 PM, aidaverdi800 <[email protected]> > wrote: > >> We don't have web.xml, I forgot to tell that I use Jetty embedded so mine >> is not the tipical webapp layout. The webservice it is only thought to be >> used as an api so we configured it programmatically for now. Is there a wey >> to do the same in my main class? >> >> Lisa >> >> On Thu, Jul 9, 2015 at 7:40 PM, Christian Wolfe <[email protected]> >> wrote: >> >>> Have you set up the Shiro Filter in the application's web.xml file? >>> >>> On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[email protected]> >>> wrote: >>> >>>> >>>> Hi all, >>>> I'm new to Shiro and I would like to integrate it in my jaxrs >>>> webservice. It has an api to be used by an ajax client. >>>> >>>> The web service starts programmatically in this way: >>>> >>>> JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean(); >>>> >>>> JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider(); >>>> ObjectMapper m = new ObjectMapper(); >>>> m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true); >>>> >>>> jackson.setMapper(m); >>>> CrossOriginResourceSharingFilter cors = new >>>> CrossOriginResourceSharingFilter(); >>>> sf.setProviders( Arrays.< Object >asList(cors, jackson) ); >>>> sf.setResourceClasses(Service.class, Users.class ); >>>> sf.setResourceProvider(Service.class, new SingletonResourceProvider(new >>>> ServiceImpl(env))); >>>> sf.setResourceProvider(Users.class, new SingletonResourceProvider(new >>>> Users(env))); >>>> >>>> sf.setAddress(address); >>>> Server server = sf.create(); >>>> >>>> I added >>>> >>>> Factory<SecurityManager> shiro = new >>>> IniSecurityManagerFactory("classpath:shiro.ini"); >>>> SecurityUtils.setSecurityManager(securityManager); >>>> to configure shiro >>>> >>>> My shiro.ini is now very simple. >>>> >>>> [main] >>>> >>>> # ------------------------ >>>> # Database >>>> >>>> # Own Realm >>>> jdbcRealm = service.nexdata.SecurityRealm >>>> >>>> # Sha256 >>>> sha256Matcher = >>>> org.apache.shiro.authc.credential.Sha256CredentialsMatcher >>>> # base64 encoding, not hex in this example: >>>> sha256Matcher.storedCredentialsHexEncoded = false >>>> sha256Matcher.hashIterations = 1024 >>>> >>>> jdbcRealm.credentialsMatcher = $sha256Matcher >>>> >>>> >>>> [urls] >>>> >>>> /users/** = authcBasic >>>> >>>> >>>> and the SecurityRealm implements JdbcRealm and specialize it with my >>>> user db and works well, I tested it. >>>> >>>> Service and Users are two rest apis and I have a status method for >>>> development >>>> >>>> @CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000, >>>> allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = >>>> {"X-custom-3", "X-custom-4"}) >>>> @Path("/service") >>>> public abstract class CvService { >>>> ... >>>> >>>> @GET >>>> @Path("/status/") >>>> public abstract Response status(); // returns if the service is up and >>>> running >>>> } >>>> >>>> >>>> >>>> @CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 300, >>>> allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = >>>> {"X-custom-3", "X-custom-4"}) >>>> @Path("/users") >>>> public abstract class Users { >>>> >>>> @GET >>>> @Path("/status/") >>>> public abstract Response status(); >>>> } >>>> >>>> implemented by >>>> public Response status() >>>> { >>>> Subject currentUser = SecurityUtils.getSubject(); >>>> boolean auth = currentUser.isAuthenticated(); >>>> if (auth) >>>> return Response.status(Status.OK).entity("User Service up and >>>> running!").build(); >>>> else >>>> return Response.status(Status.OK).entity("User authentication >>>> needed!").build(); >>>> } >>>> >>>> Shiro seems to work quite well if I do explicit login and logout, but >>>> the authBasic filter doesn't seem to work. >>>> >>>> I tested it with the chrome extension Advanced Rest Client and putting >>>> some breakpoints in BasicHttpAuthenticationFilter and the filter is >>>> completly ignored. >>>> >>>> I have the feeling that shiro.ini is not enough in this case and I must >>>> esplicitly tell the jaxrs server to use shiro filter first but I don't know >>>> how. >>>> >>>> Is it right? Could you help me, please? >>>> Thank you in advance, >>>> >>>> >>>> Lisa >>>> >>>> >>>> >>> >> >
