Shiro with JdbcRealm

[james agada <ok...@gmail.com>]

I have been able to setup shire to use a jdbcrealm and authenticate against
the database. However, it does not appear to use the permissions. I want to
set a role to have permissions only to run the ToDoItems fixture service
and I give the permission as so  *:ToDoItemsFixturesService:install:*. But
the user with the role still gets access to everything. Is there something
I am doing wrong?

Re: Shiro with JdbcRealm

[Dan Haywood <da...@haywood-associates.co.uk>]

On 26 June 2014 22:46, james agada <ok...@gmail.com> wrote:

>
> 1. If I used a cache manager, then it seems shiro will not reload the user
> roles and permissions after the first load. So any changes will require a
> restart of the app. My solution is not to use cache. How does this affect
> performance when we have a couple of hundred users?
>

That's a question for the Shiro maiing list, probably.  But you should
write a performance test script yourself.

On a previous (non-Isis) project we used Grinder to reasonable effect [1]

David (Tildesley)...
I think you told me that you did some performance testing of Isis in
general?  Was there any particular tool that you used to do so?

[1] http://grinder.sourceforge.net/g3/tutorial-perks.html

Re: Shiro with JdbcRealm

[Jeroen van der Wal <je...@stromboli.it>]

Hi James,

Performance will be hurt if you disable cache. The cache can be
cleared on multiple levels [1] to make sure permission changes are
picked up.

[1] https://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/AuthorizingRealm.html#clearCachedAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)

On Thu, Jun 26, 2014 at 11:46 PM, james agada <ok...@gmail.com> wrote:
> I think I got it fixed. There were two problems
> 1. If I used a cache manager, then it seems shiro will not reload the user roles and permissions after the first load. So any changes will require a restart of the app. My solution is not to use cache. How does this affect performance when we have a couple of hundred users?
> 2. I got the permission
>
>
>> On Tue, Nov 12, 2013 at 10:26 AM, David Tildesley <da...@yahoo.co.nz> wrote:
>> > I know but that should be only when I use that permission.
>>
>>
>> Assumptions you can't afford - make those suggested corrections (all of them) and try again.
>>
>> >I also define entities for user, permission and role in my isis app.
>> >These entities map to the tables used by shiro.
>> >Could there be conflict between shiro using the tables via jdbc and
>> >Isis using the entities?
>>
>>
>> Probably not - unless you are getting errors that indicate an issue. You could temporarily remove the ISIS entities to know for sure.
>>
>>
>>
>>
>> On Tuesday, 12 November 2013 6:53 PM, james agada <ok...@gmail.com> wrote:
>>
>> I also define entities for user, permission and role in my isis app.
>> These entities map to the tables used by shiro.
>> Could there be conflict between shiro using the tables via jdbc and
>> Isis using the entities?
>>
>> Sent from my iPhone
>>
>>
>> > On Nov 12, 2013, at 12:59 AM, David Tildesley <da...@yahoo.co.nz> wrote:
>> >
>> >
>> >
>> > Firstly, I don't think this value is valid:
>> >
>> > "*:Inventory:*:r,w"
>> >
>> > It needs to be:
>> > "*:Inventory:*:*"
>> >
>> >
>> > I don't what Inventory does but generally you only need to specify the implementation class in the permission mapping.
>> >
>> > David.
>> >
>> >
>> >
>> >
>> > On Monday, 11 November 2013 11:59 PM, james agada <ok...@gmail.com> wrote:
>> >
>> > The other tables.
>> > 1. Table - User
>> >
>> > USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
>> > 1,"James Agada",james,sven,2,ixzdore,4
>> > 2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
>> > 3,"sven from isis",sven,sven,2,pass,2
>> > 4,"chimaje agada new",chimaje,james,1,chimaje,3
>> >
>> > 2. Table -Userroles
>> >
>> > USERID,ROLEID,IDX
>> > 1,1,0
>> > 2,2,0
>> > 3,3,0
>> > 4,3,0
>> >
>> > 3. Table - Role
>> > ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
>> > 1,"Site Administrator",SITEADMIN,sven,10
>> > 2,"Normal Site User",SITEUSER,sven,3
>> > 3,"Root Admin Role",admin_role,sven,2
>> >
>> >
>> > 4. Table - RolePermissions
>> > ROLEID,PERMISSIONID,IDX
>> > 1,5,0
>> > 2,2,0
>> > 2,4,1
>> > 3,3,0
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:
>> >
>> >> I suggest you remove the [users] and [roles] sections from the ini file as
>> >> they are not needed for your purpose and from memory there is some
>> >> side-effect from leaving them in place when not using the iniRealm. It
>> >> would be useful to see the other tables as well.
>> >>
>> >> David.
>> >>
>> >>
>> >>
>> >>
>> >> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
>> >> wrote:
>> >>
>> >> I have struggled with this for some time and i still cannot get the
>> >> behaviour right. Now, it is only a permission of * that works. Anyother
>> >> permission and the user cannot see the menu or dashboard. I also have to
>> >> shut down and restart before any permission changes or user definitions
>> >> take effect.
>> >>
>> >> Here is the shiro.ini
>> >>
>> >> #
>> >>
>> >> # Licensed to the Apache Software Foundation (ASF) under one
>> >>
>> >> # or more contributor license agreements.  See the NOTICE file
>> >>
>> >> # distributed with this work for additional information
>> >>
>> >> # regarding copyright ownership.  The ASF licenses this file
>> >>
>> >> # to you under the Apache License, Version 2.0 (the
>> >>
>> >> # "License"); you may not use this file except in compliance
>> >>
>> >> # with the License.  You may obtain a copy of the License at
>> >>
>> >> #
>> >>
>> >> #    http://www.apache.org/licenses/LICENSE-2.0
>> >>
>> >> #
>> >>
>> >> # Unless required by applicable law or agreed to in writing,
>> >>
>> >> # software distributed under the License is distributed on an
>> >>
>> >> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> >>
>> >> # KIND, either express or implied.  See the License for the
>> >>
>> >> # specific language governing permissions and limitations
>> >>
>> >> # under the License.
>> >>
>> >> #
>> >>
>> >>
>> >> [main]
>> >>
>> >> ps = org.apache.shiro.authc.credential.DefaultPasswordService
>> >>
>> >> pm = org.apache.shiro.authc.credential.PasswordMatcher
>> >>
>> >> pm.passwordService = $ps
>> >>
>> >>
>> >> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
>> >>
>> >> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>> >>
>> >>
>> >> ds = com.jolbox.bonecp.BoneCPDataSource
>> >>
>> >> ds.driverClass = com.mysql.jdbc.Driver
>> >>
>> >> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
>> >>
>> >> ds.username = root
>> >>
>> >> #ds.password =  .
>> >>
>> >> jdbcRealm.dataSource = $ds
>> >>
>> >>
>> >> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>> >>
>> >> jdbcRealm.permissionsLookupEnabled = true
>> >>
>> >> jdbcRealm.credentialsMatcher = $sm
>> >>
>> >> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> >>
>> >>
>> >>
>> >> jdbcRealm.dataSource = $ds
>> >>
>> >>
>> >> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
>> >>
>> >> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
>> >> user,userroles,
>> >> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
>> >> role.role_id AND user.name = ?
>> >>
>> >> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
>> >> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
>> >> AND rolepermissions.permissionid = permission.permission_id AND role.name=
>> >> ?
>> >>
>> >> securityManager.realms = $jdbcRealm
>> >>
>> >> securityManager.cacheManager = $builtInCacheManager
>> >>
>> >> # to use .ini file
>> >>
>> >> #securityManager.realms = $iniRealm
>> >>
>> >>
>> >>
>> >>
>> >> #
>> >>
>> >> -----------------------------------------------------------------------------
>> >>
>> >> # Users and their assigned roles
>> >>
>> >> #
>> >>
>> >> # Each line conforms to the format defined in the
>> >>
>> >> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
>> >> JavaDoc
>> >>
>> >> #
>> >>
>> >> -----------------------------------------------------------------------------
>> >>
>> >>
>> >> [users]
>> >>
>> >> # user = password, role1, role2, role3, ...
>> >>
>> >>
>> >>
>> >> sven = pass, admin_role
>> >>
>> >> dick = pass, user_role, self-install_role
>> >>
>> >> bob  = pass, user_role, self-install_role
>> >>
>> >> joe  = pass, user_role, self-install_role
>> >>
>> >> guest = guest, user_role
>> >>
>> >>
>> >>
>> >>
>> >> #
>> >>
>> >> -----------------------------------------------------------------------------
>> >>
>> >> # Roles with assigned permissions
>> >>
>> >> #
>> >>
>> >> # Each line conforms to the format defined in the
>> >>
>> >> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
>> >> JavaDoc
>> >>
>> >> #
>> >>
>> >> -----------------------------------------------------------------------------
>> >>
>> >>
>> >> [roles]
>> >>
>> >> # role = perm1, perm2, perm3, ...
>> >>
>> >> # perm in format: packageName:className:memberName:r,w
>> >>
>> >>
>> >> user_role =   *:ToDoItemsJdo:*:*,\
>> >>
>> >>                *:ToDoItem:*:*
>> >>
>> >> self-install_role = *:ToDoItemsFixturesService:install:*
>> >>
>> >> admin_role = *
>> >>
>> >>
>> >> ***
>> >> Here is the permission table
>> >> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
>> >> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
>> >> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
>> >> 3,"Root access",ROOT,sven,*,1
>> >> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
>> >> 5,todo,TODO,sven,*:Parties:*:*,3
>> >>
>> >>
>> >>
>> >> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
>> >>> wrote:
>> >>
>> >>> Copy us the whole shiro.ini file (blank out any sensitive connection
>> >> info).
>> >>>
>> >>>
>> >>> David.
>> >>>
>> >>>
>> >>>
>> >>> ________________________________
>> >>>   From: james agada <ok...@gmail.com>
>> >>> To: "users@isis.apache.org" <us...@isis.apache.org>
>> >>> Sent: Friday, 25 October 2013 9:23 AM
>> >>> Subject: Shiro with JdbcRealm
>> >>>
>> >>>
>> >>> I have been able to setup shire to use a jdbcrealm and authenticate
>> >> against
>> >>> the database. However, it does not appear to use the permissions. I want
>> >> to
>> >>> set a role to have permissions only to run the ToDoItems fixture service
>> >>> and I give the permission as so  *:ToDoItemsFixturesService:install:*.
>> >> But
>> >>> the user with the role still gets access to everything. Is there
>> >> something
>> >>> I am doing wrong?
>

Re: Shiro with JdbcRealm

[james agada <ok...@gmail.com>]

I think I got it fixed. There were two problems
1. If I used a cache manager, then it seems shiro will not reload the user roles and permissions after the first load. So any changes will require a restart of the app. My solution is not to use cache. How does this affect performance when we have a couple of hundred users?
2. I got the permission 


> On Tue, Nov 12, 2013 at 10:26 AM, David Tildesley <da...@yahoo.co.nz> wrote:
> > I know but that should be only when I use that permission.
> 
> 
> Assumptions you can't afford - make those suggested corrections (all of them) and try again.
> 
> >I also define entities for user, permission and role in my isis app.
> >These entities map to the tables used by shiro.
> >Could there be conflict between shiro using the tables via jdbc and
> >Isis using the entities?
> 
> 
> Probably not - unless you are getting errors that indicate an issue. You could temporarily remove the ISIS entities to know for sure.
> 
> 
> 
> 
> On Tuesday, 12 November 2013 6:53 PM, james agada <ok...@gmail.com> wrote:
> 
> I also define entities for user, permission and role in my isis app.
> These entities map to the tables used by shiro.
> Could there be conflict between shiro using the tables via jdbc and
> Isis using the entities?
> 
> Sent from my iPhone
> 
> 
> > On Nov 12, 2013, at 12:59 AM, David Tildesley <da...@yahoo.co.nz> wrote:
> >
> >
> >
> > Firstly, I don't think this value is valid:
> >
> > "*:Inventory:*:r,w"
> >
> > It needs to be:
> > "*:Inventory:*:*"
> >
> >
> > I don't what Inventory does but generally you only need to specify the implementation class in the permission mapping.
> >
> > David.
> >
> >
> >
> >
> > On Monday, 11 November 2013 11:59 PM, james agada <ok...@gmail.com> wrote:
> >
> > The other tables.
> > 1. Table - User
> >
> > USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
> > 1,"James Agada",james,sven,2,ixzdore,4
> > 2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
> > 3,"sven from isis",sven,sven,2,pass,2
> > 4,"chimaje agada new",chimaje,james,1,chimaje,3
> >
> > 2. Table -Userroles
> >
> > USERID,ROLEID,IDX
> > 1,1,0
> > 2,2,0
> > 3,3,0
> > 4,3,0
> >
> > 3. Table - Role
> > ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
> > 1,"Site Administrator",SITEADMIN,sven,10
> > 2,"Normal Site User",SITEUSER,sven,3
> > 3,"Root Admin Role",admin_role,sven,2
> >
> >
> > 4. Table - RolePermissions
> > ROLEID,PERMISSIONID,IDX
> > 1,5,0
> > 2,2,0
> > 2,4,1
> > 3,3,0
> >
> >
> >
> >
> >
> >
> > On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:
> >
> >> I suggest you remove the [users] and [roles] sections from the ini file as
> >> they are not needed for your purpose and from memory there is some
> >> side-effect from leaving them in place when not using the iniRealm. It
> >> would be useful to see the other tables as well.
> >>
> >> David.
> >>
> >>
> >>
> >>
> >> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
> >> wrote:
> >>
> >> I have struggled with this for some time and i still cannot get the
> >> behaviour right. Now, it is only a permission of * that works. Anyother
> >> permission and the user cannot see the menu or dashboard. I also have to
> >> shut down and restart before any permission changes or user definitions
> >> take effect.
> >>
> >> Here is the shiro.ini
> >>
> >> #
> >>
> >> # Licensed to the Apache Software Foundation (ASF) under one
> >>
> >> # or more contributor license agreements.  See the NOTICE file
> >>
> >> # distributed with this work for additional information
> >>
> >> # regarding copyright ownership.  The ASF licenses this file
> >>
> >> # to you under the Apache License, Version 2.0 (the
> >>
> >> # "License"); you may not use this file except in compliance
> >>
> >> # with the License.  You may obtain a copy of the License at
> >>
> >> #
> >>
> >> #    http://www.apache.org/licenses/LICENSE-2.0
> >>
> >> #
> >>
> >> # Unless required by applicable law or agreed to in writing,
> >>
> >> # software distributed under the License is distributed on an
> >>
> >> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> >>
> >> # KIND, either express or implied.  See the License for the
> >>
> >> # specific language governing permissions and limitations
> >>
> >> # under the License.
> >>
> >> #
> >>
> >>
> >> [main]
> >>
> >> ps = org.apache.shiro.authc.credential.DefaultPasswordService
> >>
> >> pm = org.apache.shiro.authc.credential.PasswordMatcher
> >>
> >> pm.passwordService = $ps
> >>
> >>
> >> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
> >>
> >> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> >>
> >>
> >> ds = com.jolbox.bonecp.BoneCPDataSource
> >>
> >> ds.driverClass = com.mysql.jdbc.Driver
> >>
> >> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
> >>
> >> ds.username = root
> >>
> >> #ds.password =  .
> >>
> >> jdbcRealm.dataSource = $ds
> >>
> >>
> >> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
> >>
> >> jdbcRealm.permissionsLookupEnabled = true
> >>
> >> jdbcRealm.credentialsMatcher = $sm
> >>
> >> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
> >>
> >>
> >>
> >> jdbcRealm.dataSource = $ds
> >>
> >>
> >> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
> >>
> >> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
> >> user,userroles,
> >> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
> >> role.role_id AND user.name = ?
> >>
> >> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
> >> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
> >> AND rolepermissions.permissionid = permission.permission_id AND role.name=
> >> ?
> >>
> >> securityManager.realms = $jdbcRealm
> >>
> >> securityManager.cacheManager = $builtInCacheManager
> >>
> >> # to use .ini file
> >>
> >> #securityManager.realms = $iniRealm
> >>
> >>
> >>
> >>
> >> #
> >>
> >> -----------------------------------------------------------------------------
> >>
> >> # Users and their assigned roles
> >>
> >> #
> >>
> >> # Each line conforms to the format defined in the
> >>
> >> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
> >> JavaDoc
> >>
> >> #
> >>
> >> -----------------------------------------------------------------------------
> >>
> >>
> >> [users]
> >>
> >> # user = password, role1, role2, role3, ...
> >>
> >>
> >>
> >> sven = pass, admin_role
> >>
> >> dick = pass, user_role, self-install_role
> >>
> >> bob  = pass, user_role, self-install_role
> >>
> >> joe  = pass, user_role, self-install_role
> >>
> >> guest = guest, user_role
> >>
> >>
> >>
> >>
> >> #
> >>
> >> -----------------------------------------------------------------------------
> >>
> >> # Roles with assigned permissions
> >>
> >> #
> >>
> >> # Each line conforms to the format defined in the
> >>
> >> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
> >> JavaDoc
> >>
> >> #
> >>
> >> -----------------------------------------------------------------------------
> >>
> >>
> >> [roles]
> >>
> >> # role = perm1, perm2, perm3, ...
> >>
> >> # perm in format: packageName:className:memberName:r,w
> >>
> >>
> >> user_role =   *:ToDoItemsJdo:*:*,\
> >>
> >>                *:ToDoItem:*:*
> >>
> >> self-install_role = *:ToDoItemsFixturesService:install:*
> >>
> >> admin_role = *
> >>
> >>
> >> ***
> >> Here is the permission table
> >> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
> >> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
> >> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
> >> 3,"Root access",ROOT,sven,*,1
> >> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
> >> 5,todo,TODO,sven,*:Parties:*:*,3
> >>
> >>
> >>
> >> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
> >>> wrote:
> >>
> >>> Copy us the whole shiro.ini file (blank out any sensitive connection
> >> info).
> >>>
> >>>
> >>> David.
> >>>
> >>>
> >>>
> >>> ________________________________
> >>>   From: james agada <ok...@gmail.com>
> >>> To: "users@isis.apache.org" <us...@isis.apache.org>
> >>> Sent: Friday, 25 October 2013 9:23 AM
> >>> Subject: Shiro with JdbcRealm
> >>>
> >>>
> >>> I have been able to setup shire to use a jdbcrealm and authenticate
> >> against
> >>> the database. However, it does not appear to use the permissions. I want
> >> to
> >>> set a role to have permissions only to run the ToDoItems fixture service
> >>> and I give the permission as so  *:ToDoItemsFixturesService:install:*.
> >> But
> >>> the user with the role still gets access to everything. Is there
> >> something
> >>> I am doing wrong?

Re: Shiro with JdbcRealm

[David Tildesley <da...@yahoo.co.nz>]

> I know but that should be only when I use that permission.


Assumptions you can't afford - make those suggested corrections (all of them) and try again.

>I also define entities for user, permission and role in my isis app.
>These entities map to the tables used by shiro.
>Could there be conflict between shiro using the tables via jdbc and
>Isis using the entities?


Probably not - unless you are getting errors that indicate an issue. You could temporarily remove the ISIS entities to know for sure.




On Tuesday, 12 November 2013 6:53 PM, james agada <ok...@gmail.com> wrote:
 
I also define entities for user, permission and role in my isis app.
These entities map to the tables used by shiro.
Could there be conflict between shiro using the tables via jdbc and
Isis using the entities?

Sent from my iPhone


> On Nov 12, 2013, at 12:59 AM, David Tildesley <da...@yahoo.co.nz> wrote:
>
>
>
> Firstly, I don't think this value is valid:
>
> "*:Inventory:*:r,w"
>
> It needs to be:
> "*:Inventory:*:*"
>
>
> I don't what Inventory does but generally you only need to specify the implementation class in the permission mapping.
>
> David.
>
>
>
>
> On Monday, 11 November 2013 11:59 PM, james agada <ok...@gmail.com> wrote:
>
> The other tables.
> 1. Table - User
>
> USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
> 1,"James Agada",james,sven,2,ixzdore,4
> 2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
> 3,"sven from isis",sven,sven,2,pass,2
> 4,"chimaje agada new",chimaje,james,1,chimaje,3
>
> 2. Table -Userroles
>
> USERID,ROLEID,IDX
> 1,1,0
> 2,2,0
> 3,3,0
> 4,3,0
>
> 3. Table - Role
> ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
> 1,"Site Administrator",SITEADMIN,sven,10
> 2,"Normal Site User",SITEUSER,sven,3
> 3,"Root Admin Role",admin_role,sven,2
>
>
> 4. Table - RolePermissions
> ROLEID,PERMISSIONID,IDX
> 1,5,0
> 2,2,0
> 2,4,1
> 3,3,0
>
>
>
>
>
>
> On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:
>
>> I suggest you remove the [users] and [roles] sections from the ini file as
>> they are not needed for your purpose and from memory there is some
>> side-effect from leaving them in place when not using the iniRealm. It
>> would be useful to see the other tables as well.
>>
>> David.
>>
>>
>>
>>
>> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
>> wrote:
>>
>> I have struggled with this for some time and i still cannot get the
>> behaviour right. Now, it is only a permission of * that works. Anyother
>> permission and the user cannot see the menu or dashboard. I also have to
>> shut down and restart before any permission changes or user definitions
>> take effect.
>>
>> Here is the shiro.ini
>>
>> #
>>
>> # Licensed to the Apache Software Foundation (ASF) under one
>>
>> # or more contributor license agreements.  See the NOTICE file
>>
>> # distributed with this work for additional information
>>
>> # regarding copyright ownership.  The ASF licenses this file
>>
>> # to you under the Apache License, Version 2.0 (the
>>
>> # "License"); you may not use this file except in compliance
>>
>> # with the License.  You may obtain a copy of the License at
>>
>> #
>>
>> #    http://www.apache.org/licenses/LICENSE-2.0
>>
>> #
>>
>> # Unless required by applicable law or agreed to in writing,
>>
>> # software distributed under the License is distributed on an
>>
>> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>
>> # KIND, either express or implied.  See the License for the
>>
>> # specific language governing permissions and limitations
>>
>> # under the License.
>>
>> #
>>
>>
>> [main]
>>
>> ps = org.apache.shiro.authc.credential.DefaultPasswordService
>>
>> pm = org.apache.shiro.authc.credential.PasswordMatcher
>>
>> pm.passwordService = $ps
>>
>>
>> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
>>
>> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>>
>>
>> ds = com.jolbox.bonecp.BoneCPDataSource
>>
>> ds.driverClass = com.mysql.jdbc.Driver
>>
>> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
>>
>> ds.username = root
>>
>> #ds.password =  .
>>
>> jdbcRealm.dataSource = $ds
>>
>>
>> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>>
>> jdbcRealm.permissionsLookupEnabled = true
>>
>> jdbcRealm.credentialsMatcher = $sm
>>
>> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>>
>>
>>
>> jdbcRealm.dataSource = $ds
>>
>>
>> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
>>
>> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
>> user,userroles,
>> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
>> role.role_id AND user.name = ?
>>
>> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
>> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
>> AND rolepermissions.permissionid = permission.permission_id AND role.name=
>> ?
>>
>> securityManager.realms = $jdbcRealm
>>
>> securityManager.cacheManager = $builtInCacheManager
>>
>> # to use .ini file
>>
>> #securityManager.realms = $iniRealm
>>
>>
>>
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>> # Users and their assigned roles
>>
>> #
>>
>> # Each line conforms to the format defined in the
>>
>> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
>> JavaDoc
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>>
>> [users]
>>
>> # user = password, role1, role2, role3, ...
>>
>>
>>
>> sven = pass, admin_role
>>
>> dick = pass, user_role, self-install_role
>>
>> bob  = pass, user_role, self-install_role
>>
>> joe  = pass, user_role, self-install_role
>>
>> guest = guest, user_role
>>
>>
>>
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>> # Roles with assigned permissions
>>
>> #
>>
>> # Each line conforms to the format defined in the
>>
>> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
>> JavaDoc
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>>
>> [roles]
>>
>> # role = perm1, perm2, perm3, ...
>>
>> # perm in format: packageName:className:memberName:r,w
>>
>>
>> user_role =   *:ToDoItemsJdo:*:*,\
>>
>>                *:ToDoItem:*:*
>>
>> self-install_role = *:ToDoItemsFixturesService:install:*
>>
>> admin_role = *
>>
>>
>> ***
>> Here is the permission table
>> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
>> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
>> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
>> 3,"Root access",ROOT,sven,*,1
>> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
>> 5,todo,TODO,sven,*:Parties:*:*,3
>>
>>
>>
>> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
>>> wrote:
>>
>>> Copy us the whole shiro.ini file (blank out any sensitive connection
>> info).
>>>
>>>
>>> David.
>>>
>>>
>>>
>>> ________________________________
>>>   From: james agada <ok...@gmail.com>
>>> To: "users@isis.apache.org" <us...@isis.apache.org>
>>> Sent: Friday, 25 October 2013 9:23 AM
>>> Subject: Shiro with JdbcRealm
>>>
>>>
>>> I have been able to setup shire to use a jdbcrealm and authenticate
>> against
>>> the database. However, it does not appear to use the permissions. I want
>> to
>>> set a role to have permissions only to run the ToDoItems fixture service
>>> and I give the permission as so  *:ToDoItemsFixturesService:install:*.
>> But
>>> the user with the role still gets access to everything. Is there
>> something
>>> I am doing wrong?

Re: Shiro with JdbcRealm

[james agada <ok...@gmail.com>]

I also define entities for user, permission and role in my isis app.
These entities map to the tables used by shiro.
Could there be conflict between shiro using the tables via jdbc and
Isis using the entities?

Sent from my iPhone

> On Nov 12, 2013, at 12:59 AM, David Tildesley <da...@yahoo.co.nz> wrote:
>
>
>
> Firstly, I don't think this value is valid:
>
> "*:Inventory:*:r,w"
>
> It needs to be:
> "*:Inventory:*:*"
>
>
> I don't what Inventory does but generally you only need to specify the implementation class in the permission mapping.
>
> David.
>
>
>
>
> On Monday, 11 November 2013 11:59 PM, james agada <ok...@gmail.com> wrote:
>
> The other tables.
> 1. Table - User
>
> USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
> 1,"James Agada",james,sven,2,ixzdore,4
> 2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
> 3,"sven from isis",sven,sven,2,pass,2
> 4,"chimaje agada new",chimaje,james,1,chimaje,3
>
> 2. Table -Userroles
>
> USERID,ROLEID,IDX
> 1,1,0
> 2,2,0
> 3,3,0
> 4,3,0
>
> 3. Table - Role
> ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
> 1,"Site Administrator",SITEADMIN,sven,10
> 2,"Normal Site User",SITEUSER,sven,3
> 3,"Root Admin Role",admin_role,sven,2
>
>
> 4. Table - RolePermissions
> ROLEID,PERMISSIONID,IDX
> 1,5,0
> 2,2,0
> 2,4,1
> 3,3,0
>
>
>
>
>
>
> On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:
>
>> I suggest you remove the [users] and [roles] sections from the ini file as
>> they are not needed for your purpose and from memory there is some
>> side-effect from leaving them in place when not using the iniRealm. It
>> would be useful to see the other tables as well.
>>
>> David.
>>
>>
>>
>>
>> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
>> wrote:
>>
>> I have struggled with this for some time and i still cannot get the
>> behaviour right. Now, it is only a permission of * that works. Anyother
>> permission and the user cannot see the menu or dashboard. I also have to
>> shut down and restart before any permission changes or user definitions
>> take effect.
>>
>> Here is the shiro.ini
>>
>> #
>>
>> # Licensed to the Apache Software Foundation (ASF) under one
>>
>> # or more contributor license agreements.  See the NOTICE file
>>
>> # distributed with this work for additional information
>>
>> # regarding copyright ownership.  The ASF licenses this file
>>
>> # to you under the Apache License, Version 2.0 (the
>>
>> # "License"); you may not use this file except in compliance
>>
>> # with the License.  You may obtain a copy of the License at
>>
>> #
>>
>> #    http://www.apache.org/licenses/LICENSE-2.0
>>
>> #
>>
>> # Unless required by applicable law or agreed to in writing,
>>
>> # software distributed under the License is distributed on an
>>
>> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>
>> # KIND, either express or implied.  See the License for the
>>
>> # specific language governing permissions and limitations
>>
>> # under the License.
>>
>> #
>>
>>
>> [main]
>>
>> ps = org.apache.shiro.authc.credential.DefaultPasswordService
>>
>> pm = org.apache.shiro.authc.credential.PasswordMatcher
>>
>> pm.passwordService = $ps
>>
>>
>> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
>>
>> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>>
>>
>> ds = com.jolbox.bonecp.BoneCPDataSource
>>
>> ds.driverClass = com.mysql.jdbc.Driver
>>
>> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
>>
>> ds.username = root
>>
>> #ds.password =  .
>>
>> jdbcRealm.dataSource = $ds
>>
>>
>> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>>
>> jdbcRealm.permissionsLookupEnabled = true
>>
>> jdbcRealm.credentialsMatcher = $sm
>>
>> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>>
>>
>>
>> jdbcRealm.dataSource = $ds
>>
>>
>> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
>>
>> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
>> user,userroles,
>> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
>> role.role_id AND user.name = ?
>>
>> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
>> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
>> AND rolepermissions.permissionid = permission.permission_id AND role.name=
>> ?
>>
>> securityManager.realms = $jdbcRealm
>>
>> securityManager.cacheManager = $builtInCacheManager
>>
>> # to use .ini file
>>
>> #securityManager.realms = $iniRealm
>>
>>
>>
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>> # Users and their assigned roles
>>
>> #
>>
>> # Each line conforms to the format defined in the
>>
>> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
>> JavaDoc
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>>
>> [users]
>>
>> # user = password, role1, role2, role3, ...
>>
>>
>>
>> sven = pass, admin_role
>>
>> dick = pass, user_role, self-install_role
>>
>> bob  = pass, user_role, self-install_role
>>
>> joe  = pass, user_role, self-install_role
>>
>> guest = guest, user_role
>>
>>
>>
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>> # Roles with assigned permissions
>>
>> #
>>
>> # Each line conforms to the format defined in the
>>
>> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
>> JavaDoc
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>>
>> [roles]
>>
>> # role = perm1, perm2, perm3, ...
>>
>> # perm in format: packageName:className:memberName:r,w
>>
>>
>> user_role =   *:ToDoItemsJdo:*:*,\
>>
>>                *:ToDoItem:*:*
>>
>> self-install_role = *:ToDoItemsFixturesService:install:*
>>
>> admin_role = *
>>
>>
>> ***
>> Here is the permission table
>> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
>> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
>> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
>> 3,"Root access",ROOT,sven,*,1
>> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
>> 5,todo,TODO,sven,*:Parties:*:*,3
>>
>>
>>
>> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
>>> wrote:
>>
>>> Copy us the whole shiro.ini file (blank out any sensitive connection
>> info).
>>>
>>>
>>> David.
>>>
>>>
>>>
>>> ________________________________
>>>   From: james agada <ok...@gmail.com>
>>> To: "users@isis.apache.org" <us...@isis.apache.org>
>>> Sent: Friday, 25 October 2013 9:23 AM
>>> Subject: Shiro with JdbcRealm
>>>
>>>
>>> I have been able to setup shire to use a jdbcrealm and authenticate
>> against
>>> the database. However, it does not appear to use the permissions. I want
>> to
>>> set a role to have permissions only to run the ToDoItems fixture service
>>> and I give the permission as so  *:ToDoItemsFixturesService:install:*.
>> But
>>> the user with the role still gets access to everything. Is there
>> something
>>> I am doing wrong?

Re: Shiro with JdbcRealm

[james agada <ok...@gmail.com>]

I know but that should be only when I use that permission.

Sent from my iPhone

> On Nov 12, 2013, at 12:59 AM, David Tildesley <da...@yahoo.co.nz> wrote:
>
>
>
> Firstly, I don't think this value is valid:
>
> "*:Inventory:*:r,w"
>
> It needs to be:
> "*:Inventory:*:*"
>
>
> I don't what Inventory does but generally you only need to specify the implementation class in the permission mapping.
>
> David.
>
>
>
>
> On Monday, 11 November 2013 11:59 PM, james agada <ok...@gmail.com> wrote:
>
> The other tables.
> 1. Table - User
>
> USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
> 1,"James Agada",james,sven,2,ixzdore,4
> 2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
> 3,"sven from isis",sven,sven,2,pass,2
> 4,"chimaje agada new",chimaje,james,1,chimaje,3
>
> 2. Table -Userroles
>
> USERID,ROLEID,IDX
> 1,1,0
> 2,2,0
> 3,3,0
> 4,3,0
>
> 3. Table - Role
> ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
> 1,"Site Administrator",SITEADMIN,sven,10
> 2,"Normal Site User",SITEUSER,sven,3
> 3,"Root Admin Role",admin_role,sven,2
>
>
> 4. Table - RolePermissions
> ROLEID,PERMISSIONID,IDX
> 1,5,0
> 2,2,0
> 2,4,1
> 3,3,0
>
>
>
>
>
>
> On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:
>
>> I suggest you remove the [users] and [roles] sections from the ini file as
>> they are not needed for your purpose and from memory there is some
>> side-effect from leaving them in place when not using the iniRealm. It
>> would be useful to see the other tables as well.
>>
>> David.
>>
>>
>>
>>
>> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
>> wrote:
>>
>> I have struggled with this for some time and i still cannot get the
>> behaviour right. Now, it is only a permission of * that works. Anyother
>> permission and the user cannot see the menu or dashboard. I also have to
>> shut down and restart before any permission changes or user definitions
>> take effect.
>>
>> Here is the shiro.ini
>>
>> #
>>
>> # Licensed to the Apache Software Foundation (ASF) under one
>>
>> # or more contributor license agreements.  See the NOTICE file
>>
>> # distributed with this work for additional information
>>
>> # regarding copyright ownership.  The ASF licenses this file
>>
>> # to you under the Apache License, Version 2.0 (the
>>
>> # "License"); you may not use this file except in compliance
>>
>> # with the License.  You may obtain a copy of the License at
>>
>> #
>>
>> #    http://www.apache.org/licenses/LICENSE-2.0
>>
>> #
>>
>> # Unless required by applicable law or agreed to in writing,
>>
>> # software distributed under the License is distributed on an
>>
>> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>
>> # KIND, either express or implied.  See the License for the
>>
>> # specific language governing permissions and limitations
>>
>> # under the License.
>>
>> #
>>
>>
>> [main]
>>
>> ps = org.apache.shiro.authc.credential.DefaultPasswordService
>>
>> pm = org.apache.shiro.authc.credential.PasswordMatcher
>>
>> pm.passwordService = $ps
>>
>>
>> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
>>
>> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>>
>>
>> ds = com.jolbox.bonecp.BoneCPDataSource
>>
>> ds.driverClass = com.mysql.jdbc.Driver
>>
>> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
>>
>> ds.username = root
>>
>> #ds.password =  .
>>
>> jdbcRealm.dataSource = $ds
>>
>>
>> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>>
>> jdbcRealm.permissionsLookupEnabled = true
>>
>> jdbcRealm.credentialsMatcher = $sm
>>
>> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>>
>>
>>
>> jdbcRealm.dataSource = $ds
>>
>>
>> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
>>
>> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
>> user,userroles,
>> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
>> role.role_id AND user.name = ?
>>
>> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
>> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
>> AND rolepermissions.permissionid = permission.permission_id AND role.name=
>> ?
>>
>> securityManager.realms = $jdbcRealm
>>
>> securityManager.cacheManager = $builtInCacheManager
>>
>> # to use .ini file
>>
>> #securityManager.realms = $iniRealm
>>
>>
>>
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>> # Users and their assigned roles
>>
>> #
>>
>> # Each line conforms to the format defined in the
>>
>> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
>> JavaDoc
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>>
>> [users]
>>
>> # user = password, role1, role2, role3, ...
>>
>>
>>
>> sven = pass, admin_role
>>
>> dick = pass, user_role, self-install_role
>>
>> bob  = pass, user_role, self-install_role
>>
>> joe  = pass, user_role, self-install_role
>>
>> guest = guest, user_role
>>
>>
>>
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>> # Roles with assigned permissions
>>
>> #
>>
>> # Each line conforms to the format defined in the
>>
>> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
>> JavaDoc
>>
>> #
>>
>> -----------------------------------------------------------------------------
>>
>>
>> [roles]
>>
>> # role = perm1, perm2, perm3, ...
>>
>> # perm in format: packageName:className:memberName:r,w
>>
>>
>> user_role =   *:ToDoItemsJdo:*:*,\
>>
>>                *:ToDoItem:*:*
>>
>> self-install_role = *:ToDoItemsFixturesService:install:*
>>
>> admin_role = *
>>
>>
>> ***
>> Here is the permission table
>> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
>> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
>> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
>> 3,"Root access",ROOT,sven,*,1
>> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
>> 5,todo,TODO,sven,*:Parties:*:*,3
>>
>>
>>
>> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
>>> wrote:
>>
>>> Copy us the whole shiro.ini file (blank out any sensitive connection
>> info).
>>>
>>>
>>> David.
>>>
>>>
>>>
>>> ________________________________
>>>   From: james agada <ok...@gmail.com>
>>> To: "users@isis.apache.org" <us...@isis.apache.org>
>>> Sent: Friday, 25 October 2013 9:23 AM
>>> Subject: Shiro with JdbcRealm
>>>
>>>
>>> I have been able to setup shire to use a jdbcrealm and authenticate
>> against
>>> the database. However, it does not appear to use the permissions. I want
>> to
>>> set a role to have permissions only to run the ToDoItems fixture service
>>> and I give the permission as so  *:ToDoItemsFixturesService:install:*.
>> But
>>> the user with the role still gets access to everything. Is there
>> something
>>> I am doing wrong?

Re: Shiro with JdbcRealm

[David Tildesley <da...@yahoo.co.nz>]

Firstly, I don't think this value is valid:

"*:Inventory:*:r,w"

It needs to be:
"*:Inventory:*:*"


I don't what Inventory does but generally you only need to specify the implementation class in the permission mapping.

David.




On Monday, 11 November 2013 11:59 PM, james agada <ok...@gmail.com> wrote:
 
The other tables.
1. Table - User

USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
1,"James Agada",james,sven,2,ixzdore,4
2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
3,"sven from isis",sven,sven,2,pass,2
4,"chimaje agada new",chimaje,james,1,chimaje,3

2. Table -Userroles

USERID,ROLEID,IDX
1,1,0
2,2,0
3,3,0
4,3,0

3. Table - Role
ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
1,"Site Administrator",SITEADMIN,sven,10
2,"Normal Site User",SITEUSER,sven,3
3,"Root Admin Role",admin_role,sven,2


4. Table - RolePermissions
ROLEID,PERMISSIONID,IDX
1,5,0
2,2,0
2,4,1
3,3,0






On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:

> I suggest you remove the [users] and [roles] sections from the ini file as
> they are not needed for your purpose and from memory there is some
> side-effect from leaving them in place when not using the iniRealm. It
> would be useful to see the other tables as well.
>
> David.
>
>
>
>
> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
> wrote:
>
> I have struggled with this for some time and i still cannot get the
> behaviour right. Now, it is only a permission of * that works. Anyother
> permission and the user cannot see the menu or dashboard. I also have to
> shut down and restart before any permission changes or user definitions
> take effect.
>
> Here is the shiro.ini
>
> #
>
> # Licensed to the Apache Software Foundation (ASF) under one
>
> # or more contributor license agreements.  See the NOTICE file
>
> # distributed with this work for additional information
>
> # regarding copyright ownership.  The ASF licenses this file
>
> # to you under the Apache License, Version 2.0 (the
>
> # "License"); you may not use this file except in compliance
>
> # with the License.  You may obtain a copy of the License at
>
> #
>
> #    http://www.apache.org/licenses/LICENSE-2.0
>
> #
>
> # Unless required by applicable law or agreed to in writing,
>
> # software distributed under the License is distributed on an
>
> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>
> # KIND, either express or implied.  See the License for the
>
> # specific language governing permissions and limitations
>
> # under the License.
>
> #
>
>
> [main]
>
> ps = org.apache.shiro.authc.credential.DefaultPasswordService
>
> pm = org.apache.shiro.authc.credential.PasswordMatcher
>
> pm.passwordService = $ps
>
>
> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
>
> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>
>
> ds = com.jolbox.bonecp.BoneCPDataSource
>
> ds.driverClass = com.mysql.jdbc.Driver
>
> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
>
> ds.username = root
>
> #ds.password =  .
>
> jdbcRealm.dataSource = $ds
>
>
> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>
> jdbcRealm.permissionsLookupEnabled = true
>
> jdbcRealm.credentialsMatcher = $sm
>
> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>
>
>
> jdbcRealm.dataSource = $ds
>
>
> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
>
> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
> user,userroles,
> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
> role.role_id AND user.name = ?
>
> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
> AND rolepermissions.permissionid = permission.permission_id AND role.name=
> ?
>
> securityManager.realms = $jdbcRealm
>
> securityManager.cacheManager = $builtInCacheManager
>
> # to use .ini file
>
> #securityManager.realms = $iniRealm
>
>
>
>
> #
>
> -----------------------------------------------------------------------------
>
> # Users and their assigned roles
>
> #
>
> # Each line conforms to the format defined in the
>
> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
> JavaDoc
>
> #
>
> -----------------------------------------------------------------------------
>
>
> [users]
>
> # user = password, role1, role2, role3, ...
>
>
>
> sven = pass, admin_role
>
> dick = pass, user_role, self-install_role
>
> bob  = pass, user_role, self-install_role
>
> joe  = pass, user_role, self-install_role
>
> guest = guest, user_role
>
>
>
>
> #
>
> -----------------------------------------------------------------------------
>
> # Roles with assigned permissions
>
> #
>
> # Each line conforms to the format defined in the
>
> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
> JavaDoc
>
> #
>
> -----------------------------------------------------------------------------
>
>
> [roles]
>
> # role = perm1, perm2, perm3, ...
>
> # perm in format: packageName:className:memberName:r,w
>
>
> user_role =   *:ToDoItemsJdo:*:*,\
>
>               *:ToDoItem:*:*
>
> self-install_role = *:ToDoItemsFixturesService:install:*
>
> admin_role = *
>
>
> ***
> Here is the permission table
> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
> 3,"Root access",ROOT,sven,*,1
> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
> 5,todo,TODO,sven,*:Parties:*:*,3
>
>
>
> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
> >wrote:
>
> > Copy us the whole shiro.ini file (blank out any sensitive connection
> info).
> >
> >
> > David.
> >
> >
> >
> > ________________________________
> >  From: james agada <ok...@gmail.com>
> > To: "users@isis.apache.org" <us...@isis.apache.org>
> > Sent: Friday, 25 October 2013 9:23 AM
> > Subject: Shiro with JdbcRealm
> >
> >
> > I have been able to setup shire to use a jdbcrealm and authenticate
> against
> > the database. However, it does not appear to use the permissions. I want
> to
> > set a role to have permissions only to run the ToDoItems fixture service
> > and I give the permission as so  *:ToDoItemsFixturesService:install:*.
> But
> > the user with the role still gets access to everything. Is there
> something
> > I am doing wrong?

Re: Shiro with JdbcRealm

[james agada <ok...@gmail.com>]

The other tables.
1. Table - User

USER_ID,DESCRIPTION,NAME,OWNEDBY,PARTY_PARTY_ID_OID,PASSWORD,VERSION
1,"James Agada",james,sven,2,ixzdore,4
2,"Anthonia Eze",Anthonia,sven,3,ANTHONIA,2
3,"sven from isis",sven,sven,2,pass,2
4,"chimaje agada new",chimaje,james,1,chimaje,3

2. Table -Userroles

USERID,ROLEID,IDX
1,1,0
2,2,0
3,3,0
4,3,0

3. Table - Role
ROLE_ID,DESCRIPTION,NAME,OWNEDBY,VERSION
1,"Site Administrator",SITEADMIN,sven,10
2,"Normal Site User",SITEUSER,sven,3
3,"Root Admin Role",admin_role,sven,2


4. Table - RolePermissions
ROLEID,PERMISSIONID,IDX
1,5,0
2,2,0
2,4,1
3,3,0





On Mon, Nov 11, 2013 at 5:17 AM, David Tildesley <da...@yahoo.co.nz>wrote:

> I suggest you remove the [users] and [roles] sections from the ini file as
> they are not needed for your purpose and from memory there is some
> side-effect from leaving them in place when not using the iniRealm. It
> would be useful to see the other tables as well.
>
> David.
>
>
>
>
> On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com>
> wrote:
>
> I have struggled with this for some time and i still cannot get the
> behaviour right. Now, it is only a permission of * that works. Anyother
> permission and the user cannot see the menu or dashboard. I also have to
> shut down and restart before any permission changes or user definitions
> take effect.
>
> Here is the shiro.ini
>
> #
>
> # Licensed to the Apache Software Foundation (ASF) under one
>
> # or more contributor license agreements.  See the NOTICE file
>
> # distributed with this work for additional information
>
> # regarding copyright ownership.  The ASF licenses this file
>
> # to you under the Apache License, Version 2.0 (the
>
> # "License"); you may not use this file except in compliance
>
> # with the License.  You may obtain a copy of the License at
>
> #
>
> #    http://www.apache.org/licenses/LICENSE-2.0
>
> #
>
> # Unless required by applicable law or agreed to in writing,
>
> # software distributed under the License is distributed on an
>
> # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>
> # KIND, either express or implied.  See the License for the
>
> # specific language governing permissions and limitations
>
> # under the License.
>
> #
>
>
> [main]
>
> ps = org.apache.shiro.authc.credential.DefaultPasswordService
>
> pm = org.apache.shiro.authc.credential.PasswordMatcher
>
> pm.passwordService = $ps
>
>
> aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
>
> sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>
>
> ds = com.jolbox.bonecp.BoneCPDataSource
>
> ds.driverClass = com.mysql.jdbc.Driver
>
> ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket
>
> ds.username = root
>
> #ds.password =  .
>
> jdbcRealm.dataSource = $ds
>
>
> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>
> jdbcRealm.permissionsLookupEnabled = true
>
> jdbcRealm.credentialsMatcher = $sm
>
> builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>
>
>
> jdbcRealm.dataSource = $ds
>
>
> jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?
>
> jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM
> user,userroles,
> role WHERE  user.user_id = userroles.userid AND userroles.roleid =
> role.role_id AND user.name = ?
>
> jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
> role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
> AND rolepermissions.permissionid = permission.permission_id AND role.name=
> ?
>
> securityManager.realms = $jdbcRealm
>
> securityManager.cacheManager = $builtInCacheManager
>
> # to use .ini file
>
> #securityManager.realms = $iniRealm
>
>
>
>
> #
>
> -----------------------------------------------------------------------------
>
> # Users and their assigned roles
>
> #
>
> # Each line conforms to the format defined in the
>
> # org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
> JavaDoc
>
> #
>
> -----------------------------------------------------------------------------
>
>
> [users]
>
> # user = password, role1, role2, role3, ...
>
>
>
> sven = pass, admin_role
>
> dick = pass, user_role, self-install_role
>
> bob  = pass, user_role, self-install_role
>
> joe  = pass, user_role, self-install_role
>
> guest = guest, user_role
>
>
>
>
> #
>
> -----------------------------------------------------------------------------
>
> # Roles with assigned permissions
>
> #
>
> # Each line conforms to the format defined in the
>
> # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
> JavaDoc
>
> #
>
> -----------------------------------------------------------------------------
>
>
> [roles]
>
> # role = perm1, perm2, perm3, ...
>
> # perm in format: packageName:className:memberName:r,w
>
>
> user_role =   *:ToDoItemsJdo:*:*,\
>
>               *:ToDoItem:*:*
>
> self-install_role = *:ToDoItemsFixturesService:install:*
>
> admin_role = *
>
>
> ***
> Here is the permission table
> PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
> 1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
> 2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
> 3,"Root access",ROOT,sven,*,1
> 4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
> 5,todo,TODO,sven,*:Parties:*:*,3
>
>
>
> On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <davotnz@yahoo.co.nz
> >wrote:
>
> > Copy us the whole shiro.ini file (blank out any sensitive connection
> info).
> >
> >
> > David.
> >
> >
> >
> > ________________________________
> >  From: james agada <ok...@gmail.com>
> > To: "users@isis.apache.org" <us...@isis.apache.org>
> > Sent: Friday, 25 October 2013 9:23 AM
> > Subject: Shiro with JdbcRealm
> >
> >
> > I have been able to setup shire to use a jdbcrealm and authenticate
> against
> > the database. However, it does not appear to use the permissions. I want
> to
> > set a role to have permissions only to run the ToDoItems fixture service
> > and I give the permission as so  *:ToDoItemsFixturesService:install:*.
> But
> > the user with the role still gets access to everything. Is there
> something
> > I am doing wrong?

Re: Shiro with JdbcRealm

[David Tildesley <da...@yahoo.co.nz>]

I suggest you remove the [users] and [roles] sections from the ini file as they are not needed for your purpose and from memory there is some side-effect from leaving them in place when not using the iniRealm. It would be useful to see the other tables as well.

David.




On Monday, 11 November 2013 3:16 AM, james agada <ok...@gmail.com> wrote:
 
I have struggled with this for some time and i still cannot get the
behaviour right. Now, it is only a permission of * that works. Anyother
permission and the user cannot see the menu or dashboard. I also have to
shut down and restart before any permission changes or user definitions
take effect.

Here is the shiro.ini

#

# Licensed to the Apache Software Foundation (ASF) under one

# or more contributor license agreements.  See the NOTICE file

# distributed with this work for additional information

# regarding copyright ownership.  The ASF licenses this file

# to you under the Apache License, Version 2.0 (the

# "License"); you may not use this file except in compliance

# with the License.  You may obtain a copy of the License at

#

#    http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing,

# software distributed under the License is distributed on an

# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

# KIND, either express or implied.  See the License for the

# specific language governing permissions and limitations

# under the License.

#


[main]

ps = org.apache.shiro.authc.credential.DefaultPasswordService

pm = org.apache.shiro.authc.credential.PasswordMatcher

pm.passwordService = $ps


aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher

sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher


ds = com.jolbox.bonecp.BoneCPDataSource

ds.driverClass = com.mysql.jdbc.Driver

ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket

ds.username = root

#ds.password =  .

jdbcRealm.dataSource = $ds


jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

jdbcRealm.permissionsLookupEnabled = true

jdbcRealm.credentialsMatcher = $sm

builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager



jdbcRealm.dataSource = $ds


jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?

jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM user,userroles,
role WHERE  user.user_id = userroles.userid AND userroles.roleid =
role.role_id AND user.name = ?

jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
AND rolepermissions.permissionid = permission.permission_id AND role.name =
?

securityManager.realms = $jdbcRealm

securityManager.cacheManager = $builtInCacheManager

# to use .ini file

#securityManager.realms = $iniRealm




#
-----------------------------------------------------------------------------

# Users and their assigned roles

#

# Each line conforms to the format defined in the

# org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
JavaDoc

#
-----------------------------------------------------------------------------


[users]

# user = password, role1, role2, role3, ...



sven = pass, admin_role

dick = pass, user_role, self-install_role

bob  = pass, user_role, self-install_role

joe  = pass, user_role, self-install_role

guest = guest, user_role




#
-----------------------------------------------------------------------------

# Roles with assigned permissions

#

# Each line conforms to the format defined in the

# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
JavaDoc

#
-----------------------------------------------------------------------------


[roles]

# role = perm1, perm2, perm3, ...

# perm in format: packageName:className:memberName:r,w


user_role =   *:ToDoItemsJdo:*:*,\

              *:ToDoItem:*:*

self-install_role = *:ToDoItemsFixturesService:install:*

admin_role = *


***
Here is the permission table
PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
3,"Root access",ROOT,sven,*,1
4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
5,todo,TODO,sven,*:Parties:*:*,3



On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <da...@yahoo.co.nz>wrote:

> Copy us the whole shiro.ini file (blank out any sensitive connection info).
>
>
> David.
>
>
>
> ________________________________
>  From: james agada <ok...@gmail.com>
> To: "users@isis.apache.org" <us...@isis.apache.org>
> Sent: Friday, 25 October 2013 9:23 AM
> Subject: Shiro with JdbcRealm
>
>
> I have been able to setup shire to use a jdbcrealm and authenticate against
> the database. However, it does not appear to use the permissions. I want to
> set a role to have permissions only to run the ToDoItems fixture service
> and I give the permission as so  *:ToDoItemsFixturesService:install:*. But
> the user with the role still gets access to everything. Is there something
> I am doing wrong?

Re: Shiro with JdbcRealm

[james agada <ok...@gmail.com>]

I have struggled with this for some time and i still cannot get the
behaviour right. Now, it is only a permission of * that works. Anyother
permission and the user cannot see the menu or dashboard. I also have to
shut down and restart before any permission changes or user definitions
take effect.

Here is the shiro.ini

#

# Licensed to the Apache Software Foundation (ASF) under one

# or more contributor license agreements.  See the NOTICE file

# distributed with this work for additional information

# regarding copyright ownership.  The ASF licenses this file

# to you under the Apache License, Version 2.0 (the

# "License"); you may not use this file except in compliance

# with the License.  You may obtain a copy of the License at

#

#     http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing,

# software distributed under the License is distributed on an

# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

# KIND, either express or implied.  See the License for the

# specific language governing permissions and limitations

# under the License.

#


[main]

ps = org.apache.shiro.authc.credential.DefaultPasswordService

pm = org.apache.shiro.authc.credential.PasswordMatcher

pm.passwordService = $ps


aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher

sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher


ds = com.jolbox.bonecp.BoneCPDataSource

ds.driverClass = com.mysql.jdbc.Driver

ds.jdbcUrl = jdbc:mysql://localhost:3306/myticket

ds.username = root

#ds.password =  .

jdbcRealm.dataSource = $ds


jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

jdbcRealm.permissionsLookupEnabled = true

jdbcRealm.credentialsMatcher = $sm

builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager



jdbcRealm.dataSource = $ds


jdbcRealm.authenticationQuery = SELECT password FROM user WHERE name = ?

jdbcRealm.userRolesQuery = SELECT role.name AS role_name FROM user,userroles,
role WHERE  user.user_id = userroles.userid AND userroles.roleid =
role.role_id AND user.name = ?

jdbcRealm.permissionsQuery = SELECT permission.permission AS roleper FROM
role, permission, rolepermissions WHERE rolepermissions.roleid=role.role_id
AND rolepermissions.permissionid = permission.permission_id AND role.name =
?

securityManager.realms = $jdbcRealm

securityManager.cacheManager = $builtInCacheManager

# to use .ini file

#securityManager.realms = $iniRealm




#
-----------------------------------------------------------------------------

# Users and their assigned roles

#

# Each line conforms to the format defined in the

# org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions
JavaDoc

#
-----------------------------------------------------------------------------


[users]

# user = password, role1, role2, role3, ...



sven = pass, admin_role

dick = pass, user_role, self-install_role

bob  = pass, user_role, self-install_role

joe  = pass, user_role, self-install_role

guest = guest, user_role




#
-----------------------------------------------------------------------------

# Roles with assigned permissions

#

# Each line conforms to the format defined in the

# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions
JavaDoc

#
-----------------------------------------------------------------------------


[roles]

# role = perm1, perm2, perm3, ...

# perm in format: packageName:className:memberName:r,w


user_role =   *:ToDoItemsJdo:*:*,\

              *:ToDoItem:*:*

self-install_role = *:ToDoItemsFixturesService:install:*

admin_role = *


***
Here is the permission table
PERMISSION_ID,DESCRIPTION,NAME,OWNEDBY,PERMISSION,VERSION
1,"Create Users",CreateUser,sven,*:ToDoItemsFixturesService:install:*,7
2,"View Existing Users",ViewUsers,sven,*:User:*:r,2
3,"Root access",ROOT,sven,*,1
4,"Setup inventory",SetupInventory,sven,"*:Inventory:*:r,w",1
5,todo,TODO,sven,*:Parties:*:*,3


On Fri, Oct 25, 2013 at 3:27 AM, David Tildesley <da...@yahoo.co.nz>wrote:

> Copy us the whole shiro.ini file (blank out any sensitive connection info).
>
>
> David.
>
>
>
> ________________________________
>  From: james agada <ok...@gmail.com>
> To: "users@isis.apache.org" <us...@isis.apache.org>
> Sent: Friday, 25 October 2013 9:23 AM
> Subject: Shiro with JdbcRealm
>
>
> I have been able to setup shire to use a jdbcrealm and authenticate against
> the database. However, it does not appear to use the permissions. I want to
> set a role to have permissions only to run the ToDoItems fixture service
> and I give the permission as so  *:ToDoItemsFixturesService:install:*. But
> the user with the role still gets access to everything. Is there something
> I am doing wrong?

Re: Shiro with JdbcRealm

[David Tildesley <da...@yahoo.co.nz>]

Copy us the whole shiro.ini file (blank out any sensitive connection info).


David.



________________________________
 From: james agada <ok...@gmail.com>
To: "users@isis.apache.org" <us...@isis.apache.org> 
Sent: Friday, 25 October 2013 9:23 AM
Subject: Shiro with JdbcRealm
 

I have been able to setup shire to use a jdbcrealm and authenticate against
the database. However, it does not appear to use the permissions. I want to
set a role to have permissions only to run the ToDoItems fixture service
and I give the permission as so  *:ToDoItemsFixturesService:install:*. But
the user with the role still gets access to everything. Is there something
I am doing wrong?