You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Les Hazlewood <lh...@apache.org> on 2009/02/18 21:38:15 UTC
Enterprise deployments: servicing both web requests and non-web RPC
calls simultaneously
In web-enabled environments that also service RPC calls
(RMI/RMI-over-JMS/SOAP/REST/etc), the DefaultWebSecurityManager and some of
its default components (WebRememberMeManager, WebSubjectFactory, etc) use
the following calls:
WebUtils.getRequiredServletRequest()
WebUtils.getRequiredServletResponse()
The problem here is if an RPC call comes in and the transport layer is _not_
HTTP, there will not be any thread-bound servlet request or response. In
these cases, these calls always throw an IllegalStateException.
But the scenario is logical in enterprise installations - where the
SecurityManager needs to service both web requests and non-web-based RPC
calls simultaneously. We definitely should support this cleanly.
Question: Should we continue to force the 'required' check? Or is it OK
instead to just check to see if the thread-bound objects are null and assume
in these cases the call came in on a non-http remoting invocation?
I think I prefer not requiring the thread-bound request/response pair and
checking for null. It is certainly the least impact on the code base. But
this opens up the issue that during test cases, the end-user doesn't need to
set up request/response mocks. If they don't set up req/resp mocks, they
wouldn't accurately reflect the web-based environment that would exist for
them at runtime when using the JSecurityFilter.
What do you think?
Re: Enterprise deployments: servicing both web requests and non-web
RPC calls simultaneously
Posted by Les Hazlewood <lh...@apache.org>.
Keep in mind that the important thing is not an 'either/or' scenario. Both
web requests and non-web rpc calls should be handled by the same
SecurityManager. Its my personal opinion that the required check to ensure
valid configuration is mostly unnecessary - you either use the
JSecurityFilter or not. If you do, you'll have the request/response pair
automatically bound to the thread.
If you can overlook that point, the only thing remaining is test cases -
where you want to guarantee the test writer has bound the pair to the thread
before running the test. I don't know if that desire trumps a flexible
SecurityManager - I also have to think about it more for a clean way to have
the best of both worlds...
On Wed, Feb 18, 2009 at 4:25 PM, Jeremy Haile <jh...@fastmail.fm> wrote:
> I like keeping the required check - in HTTP web environments, those would
> highlight a misconfiguration problem. I'm ok renaming WebRememberMeManager
> to HttpRememberMeManager or something if "web" is too broad. I really think
> RPC scenarios should be need some sort of different ways of accessing
> things.
>
> That being said, I think our model might could be configured better. For
> example, rather than configuring a WebRememberMeManager, maybe you should
> just configure a DefaultRememberMeManager that can have a set of accessors
> configured - one could be an RmiRememberMeAccessor and another an
> HttpRememberMeAccessor. Need to think about it more.
>
>
>
>
> On Feb 18, 2009, at 3:38 PM, Les Hazlewood wrote:
>
> In web-enabled environments that also service RPC calls
>> (RMI/RMI-over-JMS/SOAP/REST/etc), the DefaultWebSecurityManager and some
>> of
>> its default components (WebRememberMeManager, WebSubjectFactory, etc) use
>> the following calls:
>>
>> WebUtils.getRequiredServletRequest()
>> WebUtils.getRequiredServletResponse()
>>
>> The problem here is if an RPC call comes in and the transport layer is
>> _not_
>> HTTP, there will not be any thread-bound servlet request or response. In
>> these cases, these calls always throw an IllegalStateException.
>>
>> But the scenario is logical in enterprise installations - where the
>> SecurityManager needs to service both web requests and non-web-based RPC
>> calls simultaneously. We definitely should support this cleanly.
>>
>> Question: Should we continue to force the 'required' check? Or is it OK
>> instead to just check to see if the thread-bound objects are null and
>> assume
>> in these cases the call came in on a non-http remoting invocation?
>>
>> I think I prefer not requiring the thread-bound request/response pair and
>> checking for null. It is certainly the least impact on the code base.
>> But
>> this opens up the issue that during test cases, the end-user doesn't need
>> to
>> set up request/response mocks. If they don't set up req/resp mocks, they
>> wouldn't accurately reflect the web-based environment that would exist for
>> them at runtime when using the JSecurityFilter.
>>
>> What do you think?
>>
>
>
Re: Enterprise deployments: servicing both web requests and non-web RPC calls simultaneously
Posted by Jeremy Haile <jh...@fastmail.fm>.
I like keeping the required check - in HTTP web environments, those
would highlight a misconfiguration problem. I'm ok renaming
WebRememberMeManager to HttpRememberMeManager or something if "web" is
too broad. I really think RPC scenarios should be need some sort of
different ways of accessing things.
That being said, I think our model might could be configured better.
For example, rather than configuring a WebRememberMeManager, maybe you
should just configure a DefaultRememberMeManager that can have a set
of accessors configured - one could be an RmiRememberMeAccessor and
another an HttpRememberMeAccessor. Need to think about it more.
On Feb 18, 2009, at 3:38 PM, Les Hazlewood wrote:
> In web-enabled environments that also service RPC calls
> (RMI/RMI-over-JMS/SOAP/REST/etc), the DefaultWebSecurityManager and
> some of
> its default components (WebRememberMeManager, WebSubjectFactory,
> etc) use
> the following calls:
>
> WebUtils.getRequiredServletRequest()
> WebUtils.getRequiredServletResponse()
>
> The problem here is if an RPC call comes in and the transport layer
> is _not_
> HTTP, there will not be any thread-bound servlet request or
> response. In
> these cases, these calls always throw an IllegalStateException.
>
> But the scenario is logical in enterprise installations - where the
> SecurityManager needs to service both web requests and non-web-based
> RPC
> calls simultaneously. We definitely should support this cleanly.
>
> Question: Should we continue to force the 'required' check? Or is
> it OK
> instead to just check to see if the thread-bound objects are null
> and assume
> in these cases the call came in on a non-http remoting invocation?
>
> I think I prefer not requiring the thread-bound request/response
> pair and
> checking for null. It is certainly the least impact on the code
> base. But
> this opens up the issue that during test cases, the end-user doesn't
> need to
> set up request/response mocks. If they don't set up req/resp mocks,
> they
> wouldn't accurately reflect the web-based environment that would
> exist for
> them at runtime when using the JSecurityFilter.
>
> What do you think?