Hello All - just want to say everything in Shiro was configured ok.
The bug was in the implementation of my mock dao.
All works nicely
On Wed, Nov 9, 2016 at 2:49 PM, Adam X <vbgnm3c...@gmail.com> wrote:
> So I set org.apache.shiro to DEBUG level and discovered that Shiro is
> actually correctly authenticating but for some reason displays
> "Unauthorized" page:
>
> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
> (getUser:444) - userId: donkey
> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
> (getUserPassword:451) - userId: donkey
> [DEBUG] org.apache.shiro.realm.AuthenticatingRealm
> (getAuthenticationInfo:569) - Looked up AuthenticationInfo [donkey]
> from doGetAuthenticationInfo
> [DEBUG] org.apache.shiro.realm.AuthenticatingRealm
> (cacheAuthenticationInfoIfPossible:507) - AuthenticationInfo caching
> is disabled for info [donkey]. Submitted token:
> [org.apache.shiro.authc.UsernamePasswordToken - donkey,
> rememberMe=false].
> [DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> (equals:95) - Performing credentials equality check for
> tokenCredentials of type [[C and accountCredentials of type
> [java.lang.String]
> [DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> (equals:101) - Both credentials arguments can be easily converted to
> byte arrays. Performing array equals comparison
> [DEBUG] org.apache.shiro.authc.AbstractAuthenticator
> (authenticate:233) - Authentication successful for token
> [org.apache.shiro.authc.UsernamePasswordToken - donkey,
> rememberMe=false]. Returned account [donkey]
> [DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext
> (resolveSecurityManager:102) - No SecurityManager available in subject
> context map. Falling back to SecurityUtils.getSecurityManager()
> lookup.
> [DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext
> (resolveSecurityManager:102) - No SecurityManager available in subject
> context map. Falling back to SecurityUtils.getSecurityManager()
> lookup.
> [DEBUG] org.apache.shiro.web.servlet.SimpleCookie
> (addCookieHeader:226) - Added HttpServletResponse Cookie
> [rememberMe=deleteMe; Path=/bip; Max-Age=0; Expires=Tue, 08-Nov-2016
> 12:28:52 GMT]
> [DEBUG] org.apache.shiro.mgt.AbstractRememberMeManager
> (onSuccessfulLogin:290) - AuthenticationToken did not indicate
> RememberMe is requested. RememberMe functionality will not be
> executed for corresponding account.
> [DEBUG] org.apache.shiro.realm.AuthorizingRealm
> (getAuthorizationCacheLazy:234) - No authorizationCache instance set.
> Checking for a cacheManager...
> [DEBUG] org.apache.shiro.realm.AuthorizingRealm
> (getAuthorizationCacheLazy:242) - CacheManager
> [MemoryConstrainedCacheManager with 0 cache(s)): []] has been
> configured. Building authorization cache named
> [awsiamaccounts.authorizationCache]
>
> So I must have a misconfiguration somewhere but am stuck as I can't
> figure out where. I just thought that tapestry-security automagically
> handles redirect after login. My page is very simple:
>
> @RequiresRoles("administrator")
> public class Contact {
> }
>
>
> On Tue, Nov 8, 2016 at 8:30 PM, Adam X <vbgnm3c...@gmail.com> wrote:
>> Hi Kyle,
>>
>> Thanks for taking a look. Indeed, I made the assumption that
>> SimpleCredentialsMatcher is used by default, but as part of my
>> troubleshooting I explicitly set it. doGetAuthenticationInfo is
>> invoked for sure, because my logs show it (I also stepped thru with
>> the debugger):
>>
>> [WARN] org.tynamo.security.services.SecurityModule.RememberMeManager
>> (buildRememberMeManager:111) - Symbol 'security.remembermecipherkey'
>> is not set, using 'tapestry.hmac-passphrase' as the cipher. Beware
>> that changing the value will invalidate rememberMe cookies
>> [ERROR] org.apache.tapestry5.modules.AssetsModule.AssetSource
>> (invoke:237) - Packaging of classpath assets has changed in release
>> 5.4; Assets should no longer be on the main classpath, but should be
>> moved to 'META-INF/assets/' or a sub-folder. Future releases of
>> Tapestry may no longer support assets on the main classpath.
>> [WARN] org.apache.tapestry5.modules.AssetsModule.AssetSource
>> (invoke:245) - Classpath asset '/org/tynamo/security/img/login-bg.png'
>> should be moved to folder
>> '/META-INF/assets/security/org/tynamo/security/img/'.
>> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
>> (getUser:444) - userId: donkey
>> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
>> (getUserPassword:451) - userId: donkey
>>
>> As you can see my mock dao is correctly being called and it is
>> returning the correct password because I saw it in the debugger.
>>
>> Am I instantiating SimpleAuthenticationInfo correctly? This API is all
>> new to me (never worked with Shiro) so I'm learning as I go.
>>
>> Also, here is what my AppModule contribution looks like:
>>
>> @Contribute(WebSecurityManager.class)
>> public static void addRealms(Configuration<Realm> configuration,
>> @Inject @FromFactory UserManagementDao dao) {
>> Realm realm = new FooBarCoreRealm(dao);
>> configuration.add(realm);
>> }
>>
>> Obviously replaced company name with FooBar etc.
>>
>> Adam
>>
>> On Tue, Nov 8, 2016 at 7:55 PM, Kalle Korhonen
>> <kalle.o.korho...@gmail.com> wrote:
>>> Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses
>>> SimpleCredentialsMatcher by so it should match plain text passwords. Are
>>> you sure it's not authenticating, or is doGetAuthenticationInfo invoked at
>>> all? Do you have any other realms configured? Get the simple, single realm
>>> use case working first and work from there.
>>>
>>> Kalle
>>>
>>> On Tue, Nov 8, 2016 at 10:16 AM, Adam X <vbgnm3c...@gmail.com> wrote:
>>>
>>>> Howdy !
>>>>
>>>> I followed tynamo setup guide
>>>> (http://www.tynamo.org/tapestry-security+guide/) combined with
>>>> federated accounts example
>>>> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
>>>> the setup hooked up correctly as my annotated page with
>>>> @RequiresRoles("administrator") is not intercepted by tynamo and a
>>>> login page appears. The problem I'm having is that when I enter valid
>>>> credentials tynamo is not authenticating. Below is my custom realm.
>>>> UserManagementDao is just an interface, but the implementation I'm
>>>> injecting is a simple in-memory hash map impl with a unit test
>>>> verifyinig it's correctness (in reality we're authenticating against
>>>> AWS IAM but I'm usinig mock to get things working initially). However,
>>>> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
>>>> Another thing is that my passwords (for now) are clear text and I'm
>>>> not sure if by default Tynamo uses clear text comparison of if it
>>>> hashes the passwords.
>>>>
>>>> Any help would be highly appreciated!
>>>>
>>>> public class MyCustomRealm extends AuthorizingRealm {
>>>>
>>>> private UserManagementDao dao;
>>>>
>>>>
>>>> public XappmCoreRealm(UserManagementDao dao) {
>>>>
>>>> super(new MemoryConstrainedCacheManager());
>>>> setName("awsiamaccounts");
>>>> setAuthenticationTokenClass(UsernamePasswordToken.class);
>>>> //setCredentialsMatcher(new
>>>> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
>>>>
>>>> this.dao = dao;
>>>> }
>>>>
>>>> @Override
>>>> protected AuthorizationInfo
>>>> doGetAuthorizationInfo(PrincipalCollection principals) {
>>>>
>>>> if(principals == null) throw new
>>>> AuthorizationException(String.format("null %s! (should not happen)",
>>>> PrincipalCollection.class.getSimpleName()));
>>>> if(principals.isEmpty()) return null;
>>>> if(principals.fromRealm(getName()).size() <= 0) return null;
>>>>
>>>> String username = (String)
>>>> principals.fromRealm(getName()).iterator().next();
>>>> if(username == null) return null;
>>>>
>>>> List<XapGroup> groups = dao.getUserGroups(username);
>>>> Set<String> roles = new HashSet<>();
>>>>
>>>> for(XapGroup group : groups) {
>>>> roles.add(group.getId());
>>>> }
>>>>
>>>> return new SimpleAuthorizationInfo(roles);
>>>> }
>>>>
>>>> @Override
>>>> protected AuthenticationInfo
>>>> doGetAuthenticationInfo(AuthenticationToken token) throws
>>>> AuthenticationException {
>>>>
>>>> UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>>>> String userName = upToken.getUsername();
>>>>
>>>> if(userName == null) throw new AccountException("Null
>>>> usernames are not allowed by this realm.");
>>>>
>>>> XapUser user = dao.getUser(userName);
>>>> if(user == null) return null;
>>>>
>>>> // if (user.isAccountLocked()) { throw new
>>>> LockedAccountException("Account [" + username + "] is locked."); }
>>>> // if (user.isCredentialsExpired()) {
>>>> // String msg = "The credentials for account [" + username
>>>> + "] are expired";
>>>> // throw new ExpiredCredentialsException(msg);
>>>> // }
>>>>
>>>> String password = dao.getUserPassword(userName);
>>>>
>>>> return new SimpleAuthenticationInfo(userName, password,
>>>> getName());
>>>> }
>>>> }
>>>>
>>>> Adam
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>
>>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
