Hello All - just want to say everything in Shiro was configured ok. The bug was in the implementation of my mock dao.
All works nicely On Wed, Nov 9, 2016 at 2:49 PM, Adam X <vbgnm3c...@gmail.com> wrote: > So I set org.apache.shiro to DEBUG level and discovered that Shiro is > actually correctly authenticating but for some reason displays > "Unauthorized" page: > > [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao > (getUser:444) - userId: donkey > [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao > (getUserPassword:451) - userId: donkey > [DEBUG] org.apache.shiro.realm.AuthenticatingRealm > (getAuthenticationInfo:569) - Looked up AuthenticationInfo [donkey] > from doGetAuthenticationInfo > [DEBUG] org.apache.shiro.realm.AuthenticatingRealm > (cacheAuthenticationInfoIfPossible:507) - AuthenticationInfo caching > is disabled for info [donkey]. Submitted token: > [org.apache.shiro.authc.UsernamePasswordToken - donkey, > rememberMe=false]. > [DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher > (equals:95) - Performing credentials equality check for > tokenCredentials of type [[C and accountCredentials of type > [java.lang.String] > [DEBUG] org.apache.shiro.authc.credential.SimpleCredentialsMatcher > (equals:101) - Both credentials arguments can be easily converted to > byte arrays. Performing array equals comparison > [DEBUG] org.apache.shiro.authc.AbstractAuthenticator > (authenticate:233) - Authentication successful for token > [org.apache.shiro.authc.UsernamePasswordToken - donkey, > rememberMe=false]. Returned account [donkey] > [DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext > (resolveSecurityManager:102) - No SecurityManager available in subject > context map. Falling back to SecurityUtils.getSecurityManager() > lookup. > [DEBUG] org.apache.shiro.subject.support.DefaultSubjectContext > (resolveSecurityManager:102) - No SecurityManager available in subject > context map. Falling back to SecurityUtils.getSecurityManager() > lookup. > [DEBUG] org.apache.shiro.web.servlet.SimpleCookie > (addCookieHeader:226) - Added HttpServletResponse Cookie > [rememberMe=deleteMe; Path=/bip; Max-Age=0; Expires=Tue, 08-Nov-2016 > 12:28:52 GMT] > [DEBUG] org.apache.shiro.mgt.AbstractRememberMeManager > (onSuccessfulLogin:290) - AuthenticationToken did not indicate > RememberMe is requested. RememberMe functionality will not be > executed for corresponding account. > [DEBUG] org.apache.shiro.realm.AuthorizingRealm > (getAuthorizationCacheLazy:234) - No authorizationCache instance set. > Checking for a cacheManager... > [DEBUG] org.apache.shiro.realm.AuthorizingRealm > (getAuthorizationCacheLazy:242) - CacheManager > [MemoryConstrainedCacheManager with 0 cache(s)): []] has been > configured. Building authorization cache named > [awsiamaccounts.authorizationCache] > > So I must have a misconfiguration somewhere but am stuck as I can't > figure out where. I just thought that tapestry-security automagically > handles redirect after login. My page is very simple: > > @RequiresRoles("administrator") > public class Contact { > } > > > On Tue, Nov 8, 2016 at 8:30 PM, Adam X <vbgnm3c...@gmail.com> wrote: >> Hi Kyle, >> >> Thanks for taking a look. Indeed, I made the assumption that >> SimpleCredentialsMatcher is used by default, but as part of my >> troubleshooting I explicitly set it. doGetAuthenticationInfo is >> invoked for sure, because my logs show it (I also stepped thru with >> the debugger): >> >> [WARN] org.tynamo.security.services.SecurityModule.RememberMeManager >> (buildRememberMeManager:111) - Symbol 'security.remembermecipherkey' >> is not set, using 'tapestry.hmac-passphrase' as the cipher. Beware >> that changing the value will invalidate rememberMe cookies >> [ERROR] org.apache.tapestry5.modules.AssetsModule.AssetSource >> (invoke:237) - Packaging of classpath assets has changed in release >> 5.4; Assets should no longer be on the main classpath, but should be >> moved to 'META-INF/assets/' or a sub-folder. Future releases of >> Tapestry may no longer support assets on the main classpath. >> [WARN] org.apache.tapestry5.modules.AssetsModule.AssetSource >> (invoke:245) - Classpath asset '/org/tynamo/security/img/login-bg.png' >> should be moved to folder >> '/META-INF/assets/security/org/tynamo/security/img/'. >> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao >> (getUser:444) - userId: donkey >> [DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao >> (getUserPassword:451) - userId: donkey >> >> As you can see my mock dao is correctly being called and it is >> returning the correct password because I saw it in the debugger. >> >> Am I instantiating SimpleAuthenticationInfo correctly? This API is all >> new to me (never worked with Shiro) so I'm learning as I go. >> >> Also, here is what my AppModule contribution looks like: >> >> @Contribute(WebSecurityManager.class) >> public static void addRealms(Configuration<Realm> configuration, >> @Inject @FromFactory UserManagementDao dao) { >> Realm realm = new FooBarCoreRealm(dao); >> configuration.add(realm); >> } >> >> Obviously replaced company name with FooBar etc. >> >> Adam >> >> On Tue, Nov 8, 2016 at 7:55 PM, Kalle Korhonen >> <kalle.o.korho...@gmail.com> wrote: >>> Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses >>> SimpleCredentialsMatcher by so it should match plain text passwords. Are >>> you sure it's not authenticating, or is doGetAuthenticationInfo invoked at >>> all? Do you have any other realms configured? Get the simple, single realm >>> use case working first and work from there. >>> >>> Kalle >>> >>> On Tue, Nov 8, 2016 at 10:16 AM, Adam X <vbgnm3c...@gmail.com> wrote: >>> >>>> Howdy ! >>>> >>>> I followed tynamo setup guide >>>> (http://www.tynamo.org/tapestry-security+guide/) combined with >>>> federated accounts example >>>> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have >>>> the setup hooked up correctly as my annotated page with >>>> @RequiresRoles("administrator") is not intercepted by tynamo and a >>>> login page appears. The problem I'm having is that when I enter valid >>>> credentials tynamo is not authenticating. Below is my custom realm. >>>> UserManagementDao is just an interface, but the implementation I'm >>>> injecting is a simple in-memory hash map impl with a unit test >>>> verifyinig it's correctness (in reality we're authenticating against >>>> AWS IAM but I'm usinig mock to get things working initially). However, >>>> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly. >>>> Another thing is that my passwords (for now) are clear text and I'm >>>> not sure if by default Tynamo uses clear text comparison of if it >>>> hashes the passwords. >>>> >>>> Any help would be highly appreciated! >>>> >>>> public class MyCustomRealm extends AuthorizingRealm { >>>> >>>> private UserManagementDao dao; >>>> >>>> >>>> public XappmCoreRealm(UserManagementDao dao) { >>>> >>>> super(new MemoryConstrainedCacheManager()); >>>> setName("awsiamaccounts"); >>>> setAuthenticationTokenClass(UsernamePasswordToken.class); >>>> //setCredentialsMatcher(new >>>> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME)); >>>> >>>> this.dao = dao; >>>> } >>>> >>>> @Override >>>> protected AuthorizationInfo >>>> doGetAuthorizationInfo(PrincipalCollection principals) { >>>> >>>> if(principals == null) throw new >>>> AuthorizationException(String.format("null %s! (should not happen)", >>>> PrincipalCollection.class.getSimpleName())); >>>> if(principals.isEmpty()) return null; >>>> if(principals.fromRealm(getName()).size() <= 0) return null; >>>> >>>> String username = (String) >>>> principals.fromRealm(getName()).iterator().next(); >>>> if(username == null) return null; >>>> >>>> List<XapGroup> groups = dao.getUserGroups(username); >>>> Set<String> roles = new HashSet<>(); >>>> >>>> for(XapGroup group : groups) { >>>> roles.add(group.getId()); >>>> } >>>> >>>> return new SimpleAuthorizationInfo(roles); >>>> } >>>> >>>> @Override >>>> protected AuthenticationInfo >>>> doGetAuthenticationInfo(AuthenticationToken token) throws >>>> AuthenticationException { >>>> >>>> UsernamePasswordToken upToken = (UsernamePasswordToken) token; >>>> String userName = upToken.getUsername(); >>>> >>>> if(userName == null) throw new AccountException("Null >>>> usernames are not allowed by this realm."); >>>> >>>> XapUser user = dao.getUser(userName); >>>> if(user == null) return null; >>>> >>>> // if (user.isAccountLocked()) { throw new >>>> LockedAccountException("Account [" + username + "] is locked."); } >>>> // if (user.isCredentialsExpired()) { >>>> // String msg = "The credentials for account [" + username >>>> + "] are expired"; >>>> // throw new ExpiredCredentialsException(msg); >>>> // } >>>> >>>> String password = dao.getUserPassword(userName); >>>> >>>> return new SimpleAuthenticationInfo(userName, password, >>>> getName()); >>>> } >>>> } >>>> >>>> Adam >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>> >>>> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org