Hi,
Yes around is the best solution. I will try to clarify the part you did not understand: With the AspectJ around I catch all method execution (and call if I configure that also) annotated with @RequireRoles/Permissions/etc (could of course only change the pointcut to intercept only when annotations are within a class that implements my interface Service), so I need to add in the thread context the first time it reaches one of these methods a Boolean to know if the subject was already got from a service class (RMI endpoint clients call) (or from another context I might do later), if it is True then only proceed is called and I do not rebind the subject with execute(). If I was rebinding the subject would be removed from current context/thread and any call to another method annotated with @RequireRoles/Permissions/etc would throw an exception if not in a service class and also I could also try to get the subject within a method later on (outside a service class) and I would receive an empty Subject. Hope I was clear enough on that point. Now I am including Spring in my project because it adds many features that I require, @transactional, @Cacheable and simple integration with JOOQ. From: Brian Demers [via Shiro User] [mailto:[email protected]] Sent: 2017年1月31日 1:53 To: yoann159 Subject: Re: How to make RMI work with Apache Shiro I'm not sure i understand this part, the solution you proposed on stackoverflow seems like your best bet, use an 'around' and subject.execute(). This will allow any other shiro call to function, and unbind the thread when complete. Feel free to answer respond back on stack overflow I tried to intercept Shiro annotations with Before and Around advice with AspectJ, it works and I can do what I wanted (see link to stackoverflow for code). Around advice is the good solution, it set and unset the Subject, what I did not show in my code is that we need to store in the thread context one more info that we are already in an intercepted call so we do not need to get the Subject from the Service otherwise it would remove the subject in nested calls. http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and-rmi On Mon, Jan 30, 2017 at 5:35 AM, yoann159 <[hidden email]> wrote: Hi, So far I decided to use RMI, JUnit 5, Mockito, Guava, JOOQ, AspectJ, Apache IO/imaging/Configuration/Net for my project and Apache Shiro (but why not use Spring Security? See later explication). My application is a standalone app, for desktop. A server app, a client app and GUI made with JavaFx. I tried to intercept Shiro annotations with Before and Around advice with AspectJ, it works and I can do what I wanted (see link to stackoverflow for code). Around advice is the good solution, it set and unset the Subject, what I did not show in my code is that we need to store in the thread context one more info that we are already in an intercepted call so we do not need to get the Subject from the Service otherwise it would remove the subject in nested calls. I know I am going to need to do caching, transactions, metrics for my app therefore I started to look for Spring Boot to not code everything -> @Transactional, @Cacheable, @Count, etc. So far I came with different dependencies: Spring boot 2.0.0, Spring Security, Spring AOP and AspectJ, Spring Cache, Spring Mail, Spring JOOQ/ Spring H2 (for tests and dev)/ Spring MySQL driver, Spring Actuator (and above framework except Apache Shiro). So maybe if I use Spring security I do not need Apache Shiro but now I need to see how to configure Spring Security with AspectJ. If you know what I said above, do you see any incoherence in the different technologies I decided to use. All of the one (from Spring) I quoted are standalone compatible (not only for web)? I suggest we could continue on http://stackoverflow.com/questions/41849439/apache-shiro-annotation-aop-and- rmi as it would reach more people searching on stackoverflow. Thank you. From: Brian Demers [via Shiro User] [mailto:[hidden email]] Sent: 2017年1月26日 22:49 To: yoann159 Subject: Re: How to make RMI work with Apache Shiro I'm not sure I'm fully following anymore, lets take a step back, tell us about your stack. And we can point you in the right direction. (there are a few ways to process the Shiro annotations, Spring, Guice, JAX-RS, aop, (and CDI on a branch). Take a look at this as well: https://shiro.apache.org/subject.html#thread-association On Wed, Jan 25, 2017 at 10:47 PM, yoann159 <[hidden email]> wrote: Hi, I tried the aspect example ( <<a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o%20rg/apache/shiro/samples/aspectj/bank> " rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/o rg/apache/shiro/samples/aspectj/bank> <a href="https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or g/apache/shiro/samples/aspectj/bank <https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or%20g/apache/shiro/samples/aspectj/bank> " rel="noreferrer" target="_blank">https://github.com/apache/shiro/tree/master/samples/aspectj/src/main/java/or g/apache/shiro/samples/aspectj/bank) It works for the tests but I do not see how I can intercept the RequiresPermissions or RequiresRoles or etc to get the jointpoint called, get the reference of subject stored in the service instantiated for that client and simply call set method to set Subject to current executing thread. Also <https://github.com/apache/shiro/blob/master/samples/spring-boot/> https://github.com/apache/shiro/blob/master/samples/spring-boot/ is good simple example but like I said I do not use Spring context, I do desktop app with a server and clients. Unless it is possible to use Spring without a web context? Spring boot is good but it is more like: @GetMapping() @RequestMapping(…) I maybe have a solution with: pointcut allow(): execution(@org.apache.shiro.authz.annotation.RequiresPermissions * *(..)) || execution(@org.apache.shiro.authz.annotation.RequiresRoles * *(..)); With that I can have before advice and do: ((Service) thisJoinPoint.getThis()).getSubject(); ThreadState threadState = new SubjectThreadState(subject); threadState.bind(); Not sure if I need to add a after advice to unbind the threadState but it seems to work, and anyway any method will override the current subject. What would you suggest? Thank you. From: Brian Demers [via Shiro User] [mailto:[hidden email]] Sent: 2017年1月25日 22:32 To: yoann159 Subject: Re: How to make RMI work with Apache Shiro Take a look at: https://shiro.apache.org/spring.html#secure-spring-remoting Most of the Spring samples also include a remoting example:Â https://github.com/apache/shiro/tree/master/samples There is also an aspectj example On Tue, Jan 24, 2017 at 11:24 PM, yoann159 <[hidden email]> wrote: How to make RMI work with Apache Shiro? Each calls on a method with @RequireRoles("..") execute on different thread shared by multiple clients. Is there a way to intercept this AOP, set the current Subject for this thread (threadLocal), then unset it at the end of the method? Thank you for your help -- View this message in context: <a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir%20o-tp7581467.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467.html Sent from the Shiro User mailing list archive at Nabble.com. _____ If you reply to this email, your message will be added to the discussion below: <a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581468.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi%20ro-tp7581467p7581468.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581468.html To unsubscribe from How to make RMI work with Apache Shiro, click here <<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub%20scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg> &node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg xNDY3fDYzMDk5NjIyOQ==> . <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro%20_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba%20sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa%20te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan%20t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML -- View this message in context: <a href="http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467p7581473.html <http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir%20o-tp7581467p7581473.html> " rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shir o-tp7581467p7581473.html Sent from the Shiro User mailing list archive at Nabble.com. _____ If you reply to this email, your message will be added to the discussion below: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shi ro-tp7581467p7581474.html To unsubscribe from How to make RMI work with Apache Shiro, click here <<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub%20scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg> &node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsub scribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTg xNDY3fDYzMDk5NjIyOQ==> . <<a href="http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro%20_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba%20sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa%20te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan%20t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> &id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="noreferrer" target="_blank">http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro _viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.Ba sicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.templa te.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instan t_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML winmail.dat (15K) <http://shiro-user.582556.n2.nabble.com/attachment/7581479/0/winmail.dat> -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581479.html Sent from the Shiro User mailing list archive at Nabble.com. _____ If you reply to this email, your message will be added to the discussion below: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581480.html To unsubscribe from How to make RMI work with Apache Shiro, click here <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7581467&code=eW9hbm5Ac2Fhcy5hbGx1cmVzeXN0ZW1zLmNvbXw3NTgxNDY3fDYzMDk5NjIyOQ==> . <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-make-RMI-work-with-Apache-Shiro-tp7581467p7581484.html Sent from the Shiro User mailing list archive at Nabble.com.
