You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by versatec <ro...@versatec.de> on 2013/08/15 10:27:54 UTC

Example: Shiro SSO for multiple WAR-files with EhCache on Glassfish

Hi,

here is an example of how to get Shiro to provide Single-Sign-On for
multiple applications (war files) on the same application server
(specifically glassfish):
place required libs in [glassfish-home]/glassfish/domains/domain1/lib/
 shiro-core-1.2.2.jar
 shiro-web-1.2.2.jar
 shiro-ehcache-1.2.2.jar
 shiro-slf4j-api-1.7.5.jar
 ehcache-2.7.3.jar *
 commons-beanutils-core-1.8.3.jar
 commons-logging-1.1.3.jar

* I had to replace the file ehcache-failsafe.xml inside the
ehcache-2.7.3.jar with the following file, 
because 'ssoCacheManager.cacheManagerConfigFile = ehcache.xml'
in shiro.ini was not applied even though I had put the file in 
[glassfish-home]/glassfish/domains/domain1/config/ehcache.xml. 
I do not know why ehcache ignores the ehcache.xml. 
To replace the file within the jar:
jar xvf ehcache-2.7.3.jar ehcache-failsafe.xml
edit ehcache-failsafe.xml with your favorit editor
jar uvf ehcache-2.7.3.jar ehcache-failsafe.xml
---------------
ehcache-failsafe.xml:
<ehcache>
<diskStore path="java.io.tmpdir/shiro-ehcache"/>
<cache name="shiro-activeSessionCache"
           maxElementsInMemory="1000"
           overflowToDisk="false"
           eternal="true"
           timeToLiveSeconds="0"
           timeToIdleSeconds="0"
        />
<defaultCache
            maxElementsInMemory="10000"
            eternal="false"
            timeToIdleSeconds="120"
            timeToLiveSeconds="120"
            overflowToDisk="false"
            diskPersistent="false"
            diskExpiryThreadIntervalSeconds="120"
         />
</ehcache>
------------
This example uses Active Directory and MongoDB as realms but you may use any
realm you want.
------------
shiro.ini of application A:
[main]
mongoRealm = de.versatec.mongo.shiro.MongoRealm

### active directory; without a searchBase a NullPointerException is thrown;
Username must be an email ###address; cacerts.jks must contain certificate
of samba server for ldaps
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.searchBase = "CN=Users,DC=versatec,DC=invalid"
activeDirectoryRealm.systemUsername = sysli@versatec.invalid
activeDirectoryRealm.systemPassword = babaB4B4
activeDirectoryRealm.url = ldaps://localhost:636
activeDirectoryRealm.groupRolesMap =
"CN=shiroGroup,CN=Users,DC=versatec,DC=invalid":"shiro"
rolePermissionResolver =
de.versatec.mongo.shiro.ActiveDirectoryRolePermissionResolver
rolePermissionResolver.tenantId = versatec.invalid
activeDirectoryRealm.rolePermissionResolver = $rolePermissionResolver

### session sharing between web applications works with these settings but
is very brittle when ###redeploying applications
### or when a realm's data store is unavailable (for instance when active
directory is down)
### brittleness is detained with overflowToDisk="false"
ehCacheFactory = de.versatec.mongo.shiro.EhCacheFactory
ssoCacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
ssoCacheManager.cacheManager = $ehCacheFactory
securityManager.cacheManager = $ssoCacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
securityManager.sessionManager = $sessionManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie
cookie.path = /
cookie.secure = true
securityManager.sessionManager.sessionIdCookie = $cookie

### org.apache.shiro.config.ConfigurationException: Property 'successUrl'
does not exist for object of ###type
de.versatec.mongobase.FacesAjaxAwareUserFilter:
ajax = de.versatec.mongo.shiro.FacesAjaxAwareUserFilter
ajax.loginUrl = /login.xhtml
## ajax.successUrl = /index.xhtml
roles.unauthorizedUrl = /unauthorized.xhtml
firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy
securityManager.realms = $mongoRealm, $activeDirectoryRealm

[urls]
/login.xhtml = ssl[8181], ajax
/base.xhtml = ajax, perms["base:frame"]
/samba.xhtml = ajax, perms["shiro"]
### remember: specifying multiple roles means user has to possess ALL roles
specified
/role.xhtml = ajax, roles[admin, base]
/index.xhtml = ajax
/** = ajax
-------------------------
shiro.ini of application B:
[main]
mongoRealm = de.versatec.mongo.shiro.MongoRealm

### active directory; without a searchBase a NullPointerException is thrown;
Username must be an email ###address; cacerts.jks must contain certificate
of samba server for ldaps
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.searchBase = "CN=Users,DC=versatec,DC=invalid"
activeDirectoryRealm.systemUsername = sysli@versatec.invalid
activeDirectoryRealm.systemPassword = babaB4B4
activeDirectoryRealm.url = ldaps://localhost:636
activeDirectoryRealm.groupRolesMap =
"CN=shiroGroup,CN=Users,DC=versatec,DC=invalid":"shiro"
rolePermissionResolver =
de.versatec.mongo.shiro.ActiveDirectoryRolePermissionResolver
rolePermissionResolver.tenantId = versatec.invalid
activeDirectoryRealm.rolePermissionResolver = $rolePermissionResolver

### session sharing between web applications works with these settings but
is very brittle when ###redeploying applications
### or when a realm's data store is unavailable (for instance when active
directory is down)
### brittleness is detained with overflowToDisk="false"
ehCacheFactory = de.versatec.mongo.shiro.EhCacheFactory
ssoCacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
ssoCacheManager.cacheManager = $ehCacheFactory
securityManager.cacheManager = $ssoCacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
securityManager.sessionManager = $sessionManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = SSOcookie
cookie.path = /
cookie.secure = true
securityManager.sessionManager.sessionIdCookie = $cookie

### org.apache.shiro.config.ConfigurationException: Property 'successUrl'
does not exist for object of ### type
de.versatec.mongobase.FacesAjaxAwareUserFilter:
ajax = de.versatec.mongo.shiro.FacesAjaxAwareUserFilter
ajax.loginUrl = /login.xhtml
## ajax.successUrl = /index.xhtml
roles.unauthorizedUrl = /unauthorized.xhtml
firstStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $firstStrategy
securityManager.realms = $mongoRealm, $activeDirectoryRealm

[urls]
/login.xhtml = ssl[8181], ajax
/index.xhtml = ajax, perms["frame:base"]
/** = ajax



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Example-Shiro-SSO-for-multiple-WAR-files-with-EhCache-on-Glassfish-tp7579037.html
Sent from the Shiro User mailing list archive at Nabble.com.