You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Jamesb <ja...@bowkett.info> on 2011/12/21 12:08:17 UTC
Do you have to SecurityUtils.setSecurityManager in a web app to use
shiro tag library?
Hi,
I am using the ShiroFilter within a Spring-based webapp. I was following
the guidance from this documentation: http://shiro.apache.org/spring.html
http://shiro.apache.org/spring.html
I also want to use the jsp tag library <shiro:hasRole...> however, when I
run my application I get the following exception :
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
accessible to the calling code, either bound to the
org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an
invalid application configuration.
at
org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
at org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:627)
...
unless I include the following in my ApplicationContext.xml:
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
I understand that in order for the static SecurityUtils.XXX calls to work
there must be a ThreadLocal SecurityManager, and not including the xml
snippet above means there isn't one, hence the exception. However,
following the comment given in the example in the link above,
< !-- make the securityManager bean a static singleton. DO NOT do this in
web -- >
< !-- applications - see the 'Web Applications' section below instead. -- >
Is there an alternative way I should be making the SecurityManager available
to the <shiro:... tag library?
Or is this a documentation bug?....and one should set the security manager
in SecurityUtils, but one shouldn't access it in this way, it should be
injected using your container?
Thanks,
-James
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114798.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
Thanks Kalle, you are very much correct!
It seemed like I was doing something far-too-vanilla for it to be a bug in
Shiro.
Thanks for the help
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7192005.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Kalle Korhonen <ka...@gmail.com>.
On Fri, Jan 13, 2012 at 9:10 AM, Jamesb <ja...@bowkett.info> wrote:
> I think I've gotten to the bottom of this. I have a sample test project
> available here:
> https://github.com/jbowkett/Apache-Shiro-probs
> https://github.com/jbowkett/Apache-Shiro-probs
> The crux of the problem is that I was using Stripes for my page layout etc.
> within one of those layouts, was the shiro:hasRole (to present a link to our
> admin area). One of my pages was a generic 404 error page, which also used
> the same page layout. I configured this error page with the following in my
> web.xml:
> <error-page>
> <error-code>404</error-code>
> <location>/WEB-INF/jsp/core/not_found.jsp</location>
> </error-page>
> It would appear when running with Tomcat 6, this error page was re-compiled
> on each separate page impression, however, I guess it had not gone through
> the Shiro filter so it did not have the SecurityManager instance in its
> ThreadLocal, hence the exception trace.
> This was wrapped in several re-used layout jsps, so it was a bit of a rats'
> nest to untangle (not least because it looked like the layout jsp for the
> requested page was causing the exception trace, not a parallel compile of
> the 404 page), but hopefully the code example I've put in github should show
> the problem in its most obvious form. (You can turn the error on or off, by
> commenting out the error page snippet above in the web.xml)
> Interestingly, this is not a problem when running my webapp under jetty :
> Perhaps Tomcat pre-compiles the 404 page (but on every page impression?) and
> jetty does not?
No, nothing to do with pre-compilation. It's just that you haven't
configured the Shiro filter to run on invocation of the ERROR
dispatcher. By default, Tomcat invokes the filter chain only on
REQUEST dispatcher. It's a standard servlet thing, but I'm not sure if
Jetty implements dispatchers at all or they just have a different
default. In your web.xml, configure:
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
or just some as needed.
Kalle
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
A-HAAAAA!
I think I've gotten to the bottom of this. I have a sample test project
available here:
https://github.com/jbowkett/Apache-Shiro-probs
https://github.com/jbowkett/Apache-Shiro-probs
The crux of the problem is that I was using Stripes for my page layout etc.
within one of those layouts, was the shiro:hasRole (to present a link to our
admin area). One of my pages was a generic 404 error page, which also used
the same page layout. I configured this error page with the following in my
web.xml:
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/core/not_found.jsp</location>
</error-page>
It would appear when running with Tomcat 6, this error page was re-compiled
on each separate page impression, however, I guess it had not gone through
the Shiro filter so it did not have the SecurityManager instance in its
ThreadLocal, hence the exception trace.
This was wrapped in several re-used layout jsps, so it was a bit of a rats'
nest to untangle (not least because it looked like the layout jsp for the
requested page was causing the exception trace, not a parallel compile of
the 404 page), but hopefully the code example I've put in github should show
the problem in its most obvious form. (You can turn the error on or off, by
commenting out the error page snippet above in the web.xml)
Interestingly, this is not a problem when running my webapp under jetty :
Perhaps Tomcat pre-compiles the 404 page (but on every page impression?) and
jetty does not?
Maybe this is a documentation bug?
Let me know if you need any more info or if I can help any further on this?
(if it's going to go anywhere?)
Best,
-James
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7184705.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Kalle Korhonen <ka...@gmail.com>.
On Tue, Jan 10, 2012 at 5:36 PM, Les Hazlewood <lh...@apache.org> wrote:
> As mentioned, the ThreadLocal.remove() call will remove the original
> map and cause a new Map to be created as necessary for future
> ThreadLocal.get() calls. Do you think this is causing you trouble?
> Perhaps we should call ThreadLocal.get().clear() instead?
Often clear() is better than nullifying a map but in this case it
shouldn't make a difference, either way the securityManager would be
lost. Anyway, it'd be a good idea to put a breakpoint on
ThreadLocal.remove() and verify that is what's causing the issue and
see what's in the call stack at that moment.
Kalle
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Les Hazlewood <lh...@apache.org>.
Hi James,
This *might* be a bug - do you have any information on when the
ThreadLocal might be replaced and what it is replaced with? Also, is
this repeatable at all? I would love to get my hands on a test case
that re-creates the issue (even if there is no obvious solution in
sight). Repeatability is the key to solving thread-related issues
IMO.
Anyway, Shiro has a ThreadState concept that sits on top of the
ThreadContext (which masks interaction with a ThreadLocal). The
ThreadState will store Shiro's thread state to the ThreadContext at
the beginning of a request, but it will replace what might have been
there previously at the end of the request. That is, ThreadState
works like this:
bind() (beginning of the request):
- save what might have been on the thread (call ThreadContext.getResources())
- bind the specified Subject and SecurityManager to the thread
restore() (end of the request, or in the event of an exception):
- remove the ThreadLocal (threadLocal.remove()). This will cause a
new Map instance to be created on the next ThreadLocal.get() call.
- reinstate what might have been on the thread (call
ThreadContext.setResources(previousResources); )
As mentioned, the ThreadLocal.remove() call will remove the original
map and cause a new Map to be created as necessary for future
ThreadLocal.get() calls. Do you think this is causing you trouble?
Perhaps we should call ThreadLocal.get().clear() instead?
Please keep us posted if possible.
Best,
--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com
On Tue, Jan 10, 2012 at 4:57 AM, Jamesb <ja...@bowkett.info> wrote:
> (Thanks Alexandr)
> Indeed, that's what I thought. I've already done as you outline, and it
> looks like it might be a bug as the subsequent calls to ThreadLocal.get()
> are getting a different instance and hence throwing the exception above.
> That said, it seems that there are loads of instances of people using Shiro
> in a similar configuration to mine, so I figure it should be a well-trodden
> path (so it follows the likelihood of it being a bug is slim), so I was
> hoping to bump this thread to see if someone with more experience of this
> area of the codebase could make sense of what I was seeing in my debugger?
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7171946.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
(Thanks Alexandr)
Indeed, that's what I thought. I've already done as you outline, and it
looks like it might be a bug as the subsequent calls to ThreadLocal.get()
are getting a different instance and hence throwing the exception above.
That said, it seems that there are loads of instances of people using Shiro
in a similar configuration to mine, so I figure it should be a well-trodden
path (so it follows the likelihood of it being a bug is slim), so I was
hoping to bump this thread to see if someone with more experience of this
area of the codebase could make sense of what I was seeing in my debugger?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7171946.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Alex Vasilenko <aa...@gmail.com>.
I would say that you're trying to workaround issue instead of solving it.
But I'm unable to help you. Try lower shiro logging threshold to TRACE, add
breakpoints to SecurityUtils.setManager and all ThreadContext.set* calls.
It can help to find an issue.
Regards,
Alexandr Vasilenko
Web Developer
Skype:menterr
mob: +38097-611-45-99
2012/1/10 Jamesb <ja...@bowkett.info>
> Can anyone confirm if it is right that I've left the following config in my
> applicationcontext.xml:
> <bean
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="staticMethod"
> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
> <property name="arguments" ref="securityManager"/>
> </bean>
> ?
>
> Even though the documentation says it should not be necessary in a web
> application?
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7171769.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
Can anyone confirm if it is right that I've left the following config in my
applicationcontext.xml:
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
?
Even though the documentation says it should not be necessary in a web
application?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7171769.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
On the face of it, it doesn't seem like a new thread is the issue.
>From stepping through the AbstractShiroFilter, and watching the put and get
calls to shiro.util.ThreadContext I can see the SecurityManager getting set
in the ThreadContext.bind() calls
However, when SecurityManager.getSecurityManager() is called, the
ThreadContext.getSecurityManager() call returns null (line 115 in
SecurityUtils.java)
And both calls I believe are being undertaken by the thread named
http-8080-2 (in this case).
However, I have put watches on ThreadContext.resources.get() and just
before the exception is thrown, the result of the
ThreadContext.resources.get() call is a different object reference to a
different Map to the one I saw the SecurityManager put into.
I've never used ThreadLocal in anger, but I'm guessing this is the cause of
the message I'm seeing, is there something I am doing wrong?
Thanks,
-James
On 21 December 2011 11:55, James Bowkett <ja...@bowkett.info> wrote:
> Hmmm...Not sure why it would be, I'm using the Shiro Filter, and then next
> in the chain is a Stripes Filter to construct my web app within Tomcat 6.
> As far as I can tell, when Tomcat receives a request, it is then serviced
> by one of the threads in its threadpool (I don't spawn any threads of my
> own at any time). This then calls the ShiroFilter which will do whatever
> it needs to match HTTP session IDs to the Subject and then presumably
> should set that Subject in the ThreadContext so it can be picked up using
> SecurityUtils.XXX calls
>
> I'll try stepping through it in the debugger and see if I can see what's
> happening
>
> Thanks for helping me out on this...
>
> Cheers,
>
> -James
>
>
> On 21 December 2011 11:20, Alex Vasilenko [via Shiro User] <
> ml-node+s582556n7114821h55@n2.nabble.com> wrote:
>
>> Looks like it's executed in different thread. Any ideas how and why?
>>
>> Alexandr Vasilenko
>> Web Developer
>>
>> 2011/12/21 Jamesb <[hidden email]<http://user/SendEmail.jtp?type=node&node=7114821&i=0>
>> >
>>
>>> It's very similar, my config looks like this
>>>
>>>
>>> <bean id="shiroFilter"
>>> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
>>> <property name="securityManager" ref="securityManager"/>
>>> <!-- override these for application-specific URLs if you like:-->
>>> <property name="loginUrl" value="/Login.action"/>
>>> <property name="successUrl" value="/index.jsp"/>
>>> <property name="filterChainDefinitions">
>>> <value>
>>> /security/** = roles[administrator]
>>> /search/** = roles[user]
>>> </value>
>>> </property>
>>> </bean>
>>>
>>> On 21 December 2011 11:13, Alex Vasilenko [via Shiro User] <
>>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7114821&i=1>>
>>> wrote:
>>>
>>> > Hello James,
>>> >
>>> > SecurityManager is bound to thread by shiro filter on request start and
>>> > unbound on request complete.
>>> > Do you have something like https://gist.github.com/1505659 in your
>>> spring
>>> > context?
>>> >
>>> > Regards,
>>> > Alexandr Vasilenko
>>> > Web Developer
>>> >
>>> > 2011/12/21 Jamesb <[hidden email]<
>>> http://user/SendEmail.jtp?type=node&node=7114810&i=0>
>>>
>>> > >
>>> >
>>> >> Hi,
>>> >>
>>> >> I am using the ShiroFilter within a Spring-based webapp. I was
>>> following
>>> >> the guidance from this documentation:
>>> >> http://shiro.apache.org/spring.html
>>> >> http://shiro.apache.org/spring.html
>>> >>
>>> >> I also want to use the jsp tag library <shiro:hasRole...> however,
>>> when I
>>> >> run my application I get the following exception :
>>> >>
>>> >> org.apache.shiro.UnavailableSecurityManagerException: No
>>> SecurityManager
>>> >> accessible to the calling code, either bound to the
>>> >> org.apache.shiro.util.ThreadContext or as a vm static singleton.
>>> This is
>>> >> an
>>> >> invalid application configuration.
>>> >> at
>>> >>
>>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
>>> >> at
>>> >> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:627)
>>> >> ...
>>> >>
>>> >> unless I include the following in my ApplicationContext.xml:
>>> >>
>>> >> <bean
>>> >>
>>> >>
>>> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
>>> >> <property name="staticMethod"
>>> >> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
>>> >> <property name="arguments" ref="securityManager"/>
>>> >> </bean>
>>> >>
>>> >> I understand that in order for the static SecurityUtils.XXX calls to
>>> work
>>> >> there must be a ThreadLocal SecurityManager, and not including the xml
>>> >> snippet above means there isn't one, hence the exception. However,
>>> >> following the comment given in the example in the link above,
>>> >> < !-- make the securityManager bean a static singleton. DO NOT do
>>> this in
>>> >> web -- >
>>> >> < !-- applications - see the 'Web Applications' section below
>>> instead. --
>>> >> >
>>> >>
>>> >> Is there an alternative way I should be making the SecurityManager
>>> >> available
>>> >> to the <shiro:... tag library?
>>> >>
>>> >> Or is this a documentation bug?....and one should set the security
>>> manager
>>> >> in SecurityUtils, but one shouldn't access it in this way, it should
>>> be
>>> >> injected using your container?
>>> >>
>>> >> Thanks,
>>> >>
>>> >> -James
>>> >>
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >>
>>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114798.html
>>> >> Sent from the Shiro User mailing list archive at Nabble.com.
>>> >>
>>> >
>>> >
>>> >
>>> > ------------------------------
>>>
>>> > If you reply to this email, your message will be added to the
>>> discussion
>>> > below:
>>> >
>>> >
>>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114810.html
>>> > To unsubscribe from Do you have to SecurityUtils.setSecurityManager
>>> in a
>>> > web app to use shiro tag library?, click here<
>>> > .
>>> > NAML<
>>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> __________________
>>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7114821&i=2>
>>> 07967 156 887
>>>
>>>
>>> --
>>> View this message in context:
>>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114813.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the
>> discussion below:
>>
>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114821.html
>> To unsubscribe from Do you have to SecurityUtils.setSecurityManager in a
>> web app to use shiro tag library?, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7114798&code=amFtZXNAYm93a2V0dC5pbmZvfDcxMTQ3OTh8MzE4NTk0ODI0>
>> .
>> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7115031.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
Hmmm...Not sure why it would be, I'm using the Shiro Filter, and then next
in the chain is a Stripes Filter to construct my web app within Tomcat 6.
As far as I can tell, when Tomcat receives a request, it is then serviced
by one of the threads in its threadpool (I don't spawn any threads of my
own at any time). This then calls the ShiroFilter which will do whatever
it needs to match HTTP session IDs to the Subject and then presumably
should set that Subject in the ThreadContext so it can be picked up using
SecurityUtils.XXX calls
I'll try stepping through it in the debugger and see if I can see what's
happening
Thanks for helping me out on this...
Cheers,
-James
On 21 December 2011 11:20, Alex Vasilenko [via Shiro User] <
ml-node+s582556n7114821h55@n2.nabble.com> wrote:
> Looks like it's executed in different thread. Any ideas how and why?
>
> Alexandr Vasilenko
> Web Developer
>
> 2011/12/21 Jamesb <[hidden email]<http://user/SendEmail.jtp?type=node&node=7114821&i=0>
> >
>
>> It's very similar, my config looks like this
>>
>>
>> <bean id="shiroFilter"
>> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
>> <property name="securityManager" ref="securityManager"/>
>> <!-- override these for application-specific URLs if you like:-->
>> <property name="loginUrl" value="/Login.action"/>
>> <property name="successUrl" value="/index.jsp"/>
>> <property name="filterChainDefinitions">
>> <value>
>> /security/** = roles[administrator]
>> /search/** = roles[user]
>> </value>
>> </property>
>> </bean>
>>
>> On 21 December 2011 11:13, Alex Vasilenko [via Shiro User] <
>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7114821&i=1>>
>> wrote:
>>
>> > Hello James,
>> >
>> > SecurityManager is bound to thread by shiro filter on request start and
>> > unbound on request complete.
>> > Do you have something like https://gist.github.com/1505659 in your
>> spring
>> > context?
>> >
>> > Regards,
>> > Alexandr Vasilenko
>> > Web Developer
>> >
>> > 2011/12/21 Jamesb <[hidden email]<
>> http://user/SendEmail.jtp?type=node&node=7114810&i=0>
>>
>> > >
>> >
>> >> Hi,
>> >>
>> >> I am using the ShiroFilter within a Spring-based webapp. I was
>> following
>> >> the guidance from this documentation:
>> >> http://shiro.apache.org/spring.html
>> >> http://shiro.apache.org/spring.html
>> >>
>> >> I also want to use the jsp tag library <shiro:hasRole...> however,
>> when I
>> >> run my application I get the following exception :
>> >>
>> >> org.apache.shiro.UnavailableSecurityManagerException: No
>> SecurityManager
>> >> accessible to the calling code, either bound to the
>> >> org.apache.shiro.util.ThreadContext or as a vm static singleton. This
>> is
>> >> an
>> >> invalid application configuration.
>> >> at
>> >>
>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
>> >> at
>> >> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:627)
>> >> ...
>> >>
>> >> unless I include the following in my ApplicationContext.xml:
>> >>
>> >> <bean
>> >>
>> >>
>> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
>> >> <property name="staticMethod"
>> >> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
>> >> <property name="arguments" ref="securityManager"/>
>> >> </bean>
>> >>
>> >> I understand that in order for the static SecurityUtils.XXX calls to
>> work
>> >> there must be a ThreadLocal SecurityManager, and not including the xml
>> >> snippet above means there isn't one, hence the exception. However,
>> >> following the comment given in the example in the link above,
>> >> < !-- make the securityManager bean a static singleton. DO NOT do
>> this in
>> >> web -- >
>> >> < !-- applications - see the 'Web Applications' section below instead.
>> --
>> >> >
>> >>
>> >> Is there an alternative way I should be making the SecurityManager
>> >> available
>> >> to the <shiro:... tag library?
>> >>
>> >> Or is this a documentation bug?....and one should set the security
>> manager
>> >> in SecurityUtils, but one shouldn't access it in this way, it should be
>> >> injected using your container?
>> >>
>> >> Thanks,
>> >>
>> >> -James
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114798.html
>> >> Sent from the Shiro User mailing list archive at Nabble.com.
>> >>
>> >
>> >
>> >
>> > ------------------------------
>>
>> > If you reply to this email, your message will be added to the
>> discussion
>> > below:
>> >
>> >
>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114810.html
>> > To unsubscribe from Do you have to SecurityUtils.setSecurityManager in
>> a
>> > web app to use shiro tag library?, click here<
>> > .
>> > NAML<
>> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
>> >
>> >
>>
>>
>>
>> --
>> __________________
>> [hidden email] <http://user/SendEmail.jtp?type=node&node=7114821&i=2>
>> 07967 156 887
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114813.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114821.html
> To unsubscribe from Do you have to SecurityUtils.setSecurityManager in a
> web app to use shiro tag library?, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7114798&code=amFtZXNAYm93a2V0dC5pbmZvfDcxMTQ3OTh8MzE4NTk0ODI0>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114881.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Alex Vasilenko <aa...@gmail.com>.
Looks like it's executed in different thread. Any ideas how and why?
Alexandr Vasilenko
Web Developer
2011/12/21 Jamesb <ja...@bowkett.info>
> It's very similar, my config looks like this
>
> <bean id="shiroFilter"
> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
> <property name="securityManager" ref="securityManager"/>
> <!-- override these for application-specific URLs if you like:-->
> <property name="loginUrl" value="/Login.action"/>
> <property name="successUrl" value="/index.jsp"/>
> <property name="filterChainDefinitions">
> <value>
> /security/** = roles[administrator]
> /search/** = roles[user]
> </value>
> </property>
> </bean>
>
> On 21 December 2011 11:13, Alex Vasilenko [via Shiro User] <
> ml-node+s582556n7114810h14@n2.nabble.com> wrote:
>
> > Hello James,
> >
> > SecurityManager is bound to thread by shiro filter on request start and
> > unbound on request complete.
> > Do you have something like https://gist.github.com/1505659 in your
> spring
> > context?
> >
> > Regards,
> > Alexandr Vasilenko
> > Web Developer
> >
> > 2011/12/21 Jamesb <[hidden email]<
> http://user/SendEmail.jtp?type=node&node=7114810&i=0>
> > >
> >
> >> Hi,
> >>
> >> I am using the ShiroFilter within a Spring-based webapp. I was
> following
> >> the guidance from this documentation:
> >> http://shiro.apache.org/spring.html
> >> http://shiro.apache.org/spring.html
> >>
> >> I also want to use the jsp tag library <shiro:hasRole...> however,
> when I
> >> run my application I get the following exception :
> >>
> >> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> >> accessible to the calling code, either bound to the
> >> org.apache.shiro.util.ThreadContext or as a vm static singleton. This
> is
> >> an
> >> invalid application configuration.
> >> at
> >>
> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
> >> at
> >> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:627)
> >> ...
> >>
> >> unless I include the following in my ApplicationContext.xml:
> >>
> >> <bean
> >>
> >>
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> >> <property name="staticMethod"
> >> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
> >> <property name="arguments" ref="securityManager"/>
> >> </bean>
> >>
> >> I understand that in order for the static SecurityUtils.XXX calls to
> work
> >> there must be a ThreadLocal SecurityManager, and not including the xml
> >> snippet above means there isn't one, hence the exception. However,
> >> following the comment given in the example in the link above,
> >> < !-- make the securityManager bean a static singleton. DO NOT do this
> in
> >> web -- >
> >> < !-- applications - see the 'Web Applications' section below instead.
> --
> >> >
> >>
> >> Is there an alternative way I should be making the SecurityManager
> >> available
> >> to the <shiro:... tag library?
> >>
> >> Or is this a documentation bug?....and one should set the security
> manager
> >> in SecurityUtils, but one shouldn't access it in this way, it should be
> >> injected using your container?
> >>
> >> Thanks,
> >>
> >> -James
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114798.html
> >> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >
> >
> >
> > ------------------------------
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
> >
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114810.html
> > To unsubscribe from Do you have to SecurityUtils.setSecurityManager in a
> > web app to use shiro tag library?, click here<
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7114798&code=amFtZXNAYm93a2V0dC5pbmZvfDcxMTQ3OTh8MzE4NTk0ODI0
> >
> > .
> > NAML<
> http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
> >
>
>
>
> --
> __________________
> james@bowkett.info
> 07967 156 887
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114813.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Jamesb <ja...@bowkett.info>.
It's very similar, my config looks like this
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- override these for application-specific URLs if you like:-->
<property name="loginUrl" value="/Login.action"/>
<property name="successUrl" value="/index.jsp"/>
<property name="filterChainDefinitions">
<value>
/security/** = roles[administrator]
/search/** = roles[user]
</value>
</property>
</bean>
On 21 December 2011 11:13, Alex Vasilenko [via Shiro User] <
ml-node+s582556n7114810h14@n2.nabble.com> wrote:
> Hello James,
>
> SecurityManager is bound to thread by shiro filter on request start and
> unbound on request complete.
> Do you have something like https://gist.github.com/1505659 in your spring
> context?
>
> Regards,
> Alexandr Vasilenko
> Web Developer
>
> 2011/12/21 Jamesb <[hidden email]<http://user/SendEmail.jtp?type=node&node=7114810&i=0>
> >
>
>> Hi,
>>
>> I am using the ShiroFilter within a Spring-based webapp. I was following
>> the guidance from this documentation:
>> http://shiro.apache.org/spring.html
>> http://shiro.apache.org/spring.html
>>
>> I also want to use the jsp tag library <shiro:hasRole...> however, when I
>> run my application I get the following exception :
>>
>> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
>> accessible to the calling code, either bound to the
>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
>> an
>> invalid application configuration.
>> at
>> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
>> at
>> org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:627)
>> ...
>>
>> unless I include the following in my ApplicationContext.xml:
>>
>> <bean
>>
>> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
>> <property name="staticMethod"
>> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
>> <property name="arguments" ref="securityManager"/>
>> </bean>
>>
>> I understand that in order for the static SecurityUtils.XXX calls to work
>> there must be a ThreadLocal SecurityManager, and not including the xml
>> snippet above means there isn't one, hence the exception. However,
>> following the comment given in the example in the link above,
>> < !-- make the securityManager bean a static singleton. DO NOT do this in
>> web -- >
>> < !-- applications - see the 'Web Applications' section below instead. --
>> >
>>
>> Is there an alternative way I should be making the SecurityManager
>> available
>> to the <shiro:... tag library?
>>
>> Or is this a documentation bug?....and one should set the security manager
>> in SecurityUtils, but one shouldn't access it in this way, it should be
>> injected using your container?
>>
>> Thanks,
>>
>> -James
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114798.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114810.html
> To unsubscribe from Do you have to SecurityUtils.setSecurityManager in a
> web app to use shiro tag library?, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7114798&code=amFtZXNAYm93a2V0dC5pbmZvfDcxMTQ3OTh8MzE4NTk0ODI0>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespace&breadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
__________________
james@bowkett.info
07967 156 887
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114813.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Do you have to SecurityUtils.setSecurityManager in a web app to
use shiro tag library?
Posted by Alex Vasilenko <aa...@gmail.com>.
Hello James,
SecurityManager is bound to thread by shiro filter on request start and
unbound on request complete.
Do you have something like https://gist.github.com/1505659 in your spring
context?
Regards,
Alexandr Vasilenko
Web Developer
2011/12/21 Jamesb <ja...@bowkett.info>
> Hi,
>
> I am using the ShiroFilter within a Spring-based webapp. I was following
> the guidance from this documentation: http://shiro.apache.org/spring.html
> http://shiro.apache.org/spring.html
>
> I also want to use the jsp tag library <shiro:hasRole...> however, when I
> run my application I get the following exception :
>
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
> an
> invalid application configuration.
> at
> org.apache.shiro.SecurityUtils.getSecurityManager(SecurityUtils.java:123)
> at org.apache.shiro.subject.Subject$Builder.<init>(Subject.java:627)
> ...
>
> unless I include the following in my ApplicationContext.xml:
>
> <bean
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="staticMethod"
> value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
> <property name="arguments" ref="securityManager"/>
> </bean>
>
> I understand that in order for the static SecurityUtils.XXX calls to work
> there must be a ThreadLocal SecurityManager, and not including the xml
> snippet above means there isn't one, hence the exception. However,
> following the comment given in the example in the link above,
> < !-- make the securityManager bean a static singleton. DO NOT do this in
> web -- >
> < !-- applications - see the 'Web Applications' section below instead. -- >
>
> Is there an alternative way I should be making the SecurityManager
> available
> to the <shiro:... tag library?
>
> Or is this a documentation bug?....and one should set the security manager
> in SecurityUtils, but one shouldn't access it in this way, it should be
> injected using your container?
>
> Thanks,
>
> -James
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Do-you-have-to-SecurityUtils-setSecurityManager-in-a-web-app-to-use-shiro-tag-library-tp7114798p7114798.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>