You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by mceliksoy <me...@gmail.com> on 2011/08/25 14:21:35 UTC
Hessian WebService + Shiro
Hello people,
I would like to use in my app Shiro as security framework. I have a lot of
looking to the Internet and read about Shiro.
I implemented my whole business logic as a WebService. Hessian Webservice
exactly. I also have a GWT client that accesses the business logic.
The projects are the Different and running and at different server.
I created my business logic as Dynamic Web Project in Eclipse.
It will work like that;
Users will enter their login information in GWT and GWT client access to
WebService to confirm registration.
This is what made my configuration;
*Shiro.ini*
------------------------------
[main]
# realms to be used
myRealm=com.domain.MyRealm
# any object property is automatically configurable in Shiro.ini file
myRealm.jndiDataSourceName=java:app/jdbc/myAppDS
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
securityManager.sessionManager = $sessionManager
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
[urls]
# enable certificateFilter filter for all application pages
/dynamic/** = authcBasic
*My code in business logic to log in ;*
-----------------------------------------------------------
public boolean login(String username, String password){
Subject currentUser = SecurityUtils.getSubject();
if(!currentUser.isAuthenticated()){
System.out.println("User not logged in yet. Registration.");
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
try {
currentUser.login(token);
} catch (AuthenticationException ae) {
log.error("AuthenticationException");
return false;
}
} else {
System.out.println("Users already registered.");
}
return true;
}
*My client side code;*
----------------------------------------------
public boolean clientLogin() {
HessianProxyFactory factory = new HessianProxyFactory();
String serviceURL = "http://localhost:8080/myWebServiceApp/userService";
try {
userService = (IUserService) factory.create(IUserService.class,
serviceURL);
boolean loggedIn = userService.login("admin", "admin");
System.out.println("loggedIn : " + loggedIn);
boolean loggedIn = userService.login("admin", "admin");
System.out.println("loggedIn : " + loggedIn);
boolean loggedIn = userService.login("admin", "admin");
System.out.println("loggedIn : " + loggedIn);
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
I call the login method in business logic from client three times and get
each time as output
“User not logged in yet. Registration”.
Shiro does not notice that the user has already logged on.
How can I solve this problem? What I'm doing wrong? What should I set for
it?
Thank you for your help in advance.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Hessian-WebService-Shiro-tp6724250p6724250.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Hessian WebService + Shiro
Posted by mceliksoy <me...@gmail.com>.
Hello Les Hazlewood-2 and many thanks for your answer. I changed my code so
and Shiro stores authentication state.
I give *SessionID* back from my server service to client.
*My code in business logic to log in ;*
-----------------------------------------------------------
public String login(String username, String password){
// some login code
Session session = currentUser.getSession();
return session.getId().toString());
}
*I add to each other request the SessionId in client.*
*My client side code;*
----------------------------------------------
public boolean clientLogin() {
HessianProxyFactory factory = new HessianProxyFactory();
String serviceURL = "http://localhost:8080/myWebServiceApp/userService";
String testURL = "http://localhost:8080/myWebServiceApp/testService";
try {
userService = (IUserService) factory.create(IUserService.class,
serviceURL);
String sessionID = userService.login("admin", "admin");
System.out.println("sessionID : " + sessionID);
testService = (IUserService) factory.create(IUserService.class,
*testURL + "?JSESSIONID="+sessionID*);
testService.doSome();
testService.dothing();
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
Shiro remembers that I've already logged in, if I call another service.
*testService in business logic;*
----------------------------------------------
public void doSome() {
// ..perform some business logic
}
public void doThing() {
// ..perform some business logic
}
How it works wonderfully. I think that I need not Subject.execute, because I
have a WebProject in AppServer as a remoting mechanism. Or do I need it?
Secondly, I want to ask if my settings are correct for sessionManager,
sessionDAO and cacheManager in my scenario. Do I need these settings? What
should I set more?
I've read about org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
in the JavaDoc that
“This implementation defaults to using an in-memory map-based {@code
CacheManager}, which is great for testing but will typically not scale for
production environments and could easily cause {@code
OutOfMemoryException}s. “
What should I choose instead?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Hessian-WebService-Shiro-tp6724250p6727963.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Hessian WebService + Shiro
Posted by Les Hazlewood <lh...@apache.org>.
For web apps, by default, Shiro stores authentication state in the
Session. This means that every invocation/request into the server
must be able to be associated with a session. For most web apps, this
means that the session ID cookie (e.g. JSESSIONID) is sent by the
browser which each request.
So for this to work 'out of the box', Hessian must support cookies.
Or perhaps it could be configured with something that does support
cookies, like the Apache HTTP Client [1]. (If you can plug in the HTTP
client, you need to ensure the same client instance is used for all
remoting calls to ensure the Session ID is maintained for all calls).
However, if Hessian does not support cookies or is not able to be
configured with a cookie-aware transport mechanism (like HttpClient),
you will manually need to pass the session ID with every request in a
remoting-specific manner. If you need to do this, you will need to do
2 things:
1. Enable Shiro's native session management (it appears that you have
already done this by configuring the DefaultWebSessionManager). This
is required because standard Servlet Container session environments do
not support session-lookup-by-session-id, which is required here, and
2. Send the session id explicitly as part of every remoting
invocation. This is usually done by adding it to the remoting payload
as a header or map attribute (or whatever your remoting framework
supports).
Once the remote invocation is received by the server, another
component needs to inspect the remoting payload, extract the session
ID, and build a Subject instance based on that session ID. After
that, the Subject must be bound to the thread so it is accessible
during the server-side processing of the invocation. Finally the
Subject must be cleaned up/unbound from the thread so the thread's
remain 'clean' in a pooled thread environment.
An example of this non-browser-based client/server interaction is our
Spring remoting support:
client-side: http://svn.apache.org/repos/asf/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationFactory.java
server-side: http://svn.apache.org/repos/asf/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationExecutor.java
The client-side component attaches a session ID to every remoting request.
The server-side component finds the session ID, creates a Subject
based on it, and executes the rest of the call stack based on that
Subject (using the Subject.execute call to wrap the rest of the
invocation).
Again, you only need to go through this exercise if your remoting
mechanism does not support HTTP Cookies.
** Finally, also note that at the moment, every call you make into the
server (if session IDs are not preserved across requests), you are
creating a new session every time you call login. This will have a
negative impact on performance. Ensure that session IDs are sent with
each request somehow - either via cookie or remoting
framework-specific means - and you will be fine.
[1] http://hc.apache.org/httpclient-3.x/
HTH,
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
On Thu, Aug 25, 2011 at 5:21 AM, mceliksoy <me...@gmail.com> wrote:
> Hello people,
> I would like to use in my app Shiro as security framework. I have a lot of
> looking to the Internet and read about Shiro.
> I implemented my whole business logic as a WebService. Hessian Webservice
> exactly. I also have a GWT client that accesses the business logic.
> The projects are the Different and running and at different server.
> I created my business logic as Dynamic Web Project in Eclipse.
> It will work like that;
> Users will enter their login information in GWT and GWT client access to
> WebService to confirm registration.
> This is what made my configuration;
>
> *Shiro.ini*
> ------------------------------
> [main]
> # realms to be used
> myRealm=com.domain.MyRealm
> # any object property is automatically configurable in Shiro.ini file
> myRealm.jndiDataSourceName=java:app/jdbc/myAppDS
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> sessionManager.sessionDAO = $sessionDAO
> securityManager.sessionManager = $sessionManager
>
> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
> securityManager.cacheManager = $cacheManager
>
> [urls]
> # enable certificateFilter filter for all application pages
> /dynamic/** = authcBasic
>
>
>
> *My code in business logic to log in ;*
> -----------------------------------------------------------
> public boolean login(String username, String password){
>
> Subject currentUser = SecurityUtils.getSubject();
> if(!currentUser.isAuthenticated()){
> System.out.println("User not logged in yet. Registration.");
>
> UsernamePasswordToken token = new UsernamePasswordToken(username,
> password);
> try {
> currentUser.login(token);
> } catch (AuthenticationException ae) {
> log.error("AuthenticationException");
> return false;
> }
> } else {
> System.out.println("Users already registered.");
> }
>
> return true;
> }
>
>
>
> *My client side code;*
> ----------------------------------------------
> public boolean clientLogin() {
>
> HessianProxyFactory factory = new HessianProxyFactory();
> String serviceURL = "http://localhost:8080/myWebServiceApp/userService";
> try {
> userService = (IUserService) factory.create(IUserService.class,
> serviceURL);
>
> boolean loggedIn = userService.login("admin", "admin");
> System.out.println("loggedIn : " + loggedIn);
>
> boolean loggedIn = userService.login("admin", "admin");
> System.out.println("loggedIn : " + loggedIn);
>
> boolean loggedIn = userService.login("admin", "admin");
> System.out.println("loggedIn : " + loggedIn);
>
> } catch (MalformedURLException e) {
> e.printStackTrace();
> }
> }
>
> I call the login method in business logic from client three times and get
> each time as output
> “User not logged in yet. Registration”.
>
> Shiro does not notice that the user has already logged on.
> How can I solve this problem? What I'm doing wrong? What should I set for
> it?
> Thank you for your help in advance.
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Hessian-WebService-Shiro-tp6724250p6724250.html
> Sent from the Shiro User mailing list archive at Nabble.com.