Hi group, hi Brian,

maybe you can help me understand some things about permissions in web 
applications.

I started with with this configuration in shiro.ini (ok, this is an example, 
not the real one)

[main]
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.credentialsMatcher = $passwordMatcher
jdbcRealm.authenticationQuery = select Passwort from Benutzer where EMail = ?
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.permissionsQuery = call Permissions(?)

urls]
/secure/foo/** = ssl, authc, perms["foo"]
/secure/bar/** = ssl, authc, perms["bar"]
/secure/** = ssl, authc
/logout = ssl, logout
/** = ssl

According to the reference manual that should be fine. See 
https://shiro.apache.org/web.html <https://shiro.apache.org/web.html> and the 
URL section.

(Note: The permissionsQuery calls a StoredProcedure. That works for MySQL.)

So the idea is that everything under /secure/ needs ssl and you have to be 
authorized. Additionally some urls paths need further permission
to allow access: foo and bar.

Compile, package and run.

The login in my web application works. Now I tried to to access 
/secure/bar/index.html.

Failure 500

10-Aug-2017 10:18:29.648 SEVERE [https-jsse-nio-8443-exec-8] 
org.apache.shiro.realm.jdbc.JdbcRealm.doGetAuthorizationInfo There was a SQL 
error while authorizing user [raup...@me.com]
 com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 
‘mydb.user_roles' doesn't exist

Ok, this is odd. Looks like the JDBC Realm executes the default userRolesQuery 
even if there is not a single role needed anywhere.

To overcome this I just added a dummy query to shiro.ini. This should give 
every authenticated subject a role of ‘user’.

jdbcRealm.userRolesQuery =  select ‘user' from Benutzer where Email = ?

Compile, package and run.

The login in my web application works. Now I tried to to access 
/secure/bar/index.html.

Failure 401

Odd again. I checked several times that the subject ‘raup...@me.com’ has the 
permissions foo and bar. I looked through the source of JDBCRealm and found 
this.

[...]
PreparedStatement ps = null;
        Set<String> permissions = new LinkedHashSet<String>();
        try {
            ps = conn.prepareStatement(permissionsQuery);
            for (String roleName : roleNames) {

                ps.setString(1, roleName);

                ResultSet rs = null;
[…]

The permissionsQuery sets the role as the parameter not the principal. Why do 
the permissions depend on roles?

By changing the permission query I could cheat my way out of this.

jdbcRealm.userRolesQuery =  select Email from Benutzer where Email = ?

Compile, package and run.

Everything works as excepted. Perfect!

But again: Why do permissions depend on roles. Did I miss this in the reference 
documentation? I expected permissions to be independent of roles.

Example:
/secure/foo/** = ssl, authc, roles[admin], perms["foo”]

To access everything under /foo/ I would expect that you need ssl, be 
authenticated, have the role admin and the permission foo.

/secure/foo/** = ssl, authc, perms["foo”]

To access everything under /foo/ I would expect that you need ssl, be 
authenticated, and the permission foo. No role needed.


Hope you guys have time to answer. As always, thanks for the great work. Hope 
in time I can contribute to this great project.

/Björn




Reply via email to