You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by zooxmusic <br...@109forest.com> on 2010/11/07 23:18:32 UTC
SessionListeners with Spring and a Swing Desktop
What is the recommended way to add a session listener in a spring application
and configuration?
I've found a few posts but they are all out of date with the information yet
only a few months old. The sessionListeners are on
AbstractNativeSessionManager not DefaultWebSecurityManager or the other
classes that were in the posts I've read.
I would prefer to add the listener through the applicationContext if
possible but the ini would be just fine if you can tell me how to cast in
that format because I obviously get a classCastException if I do what the
post said because setSessionListeners are on the
AbstractNativeSessionManager and not DefaultWebSecurityManger
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5715272.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SessionListeners with Spring and a Swing Desktop
Posted by zooxmusic <br...@109forest.com>.
Kindof, I have to see what I am doing wrong because its not re-creating the
session. Or maybe I am thinking of this wrong. Currently I only implemented
login, we haven't defined the permissions on the rest of the system and the
part that is working doesn't really have any security. So for a few calls I
do call
Subject currentUser = SecurityUtils.getSubject();
if(Util.isNull(currentUser)) throw new IllegalStateException("There is no
current user logged in");
Long userId = (Long)currentUser.getPrincipal();
if(Util.isNull(userId)) throw new IllegalStateException("Current user id was
not found");
User user = this.find(userId);
and this works fine so long as I haven't let my session expire. If it does
then I no longer have the userId.
Its late and I am guessing I am about to say a "duh" but I have a blind spot
on this right now.
Brian
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5731166.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SessionListeners with Spring and a Swing Desktop
Posted by Les Hazlewood <lh...@apache.org>.
> Actually I realized that the autoCreate after the session expires is what I
> want to work, I could care less about the SessionListener (but it might be
> nice to see how to do that).
This works out of the box with Shiro 1.x. If the SecurityManager
encounters an InvalidSessionException when creating a Subject
instance, it will log the exception and return the Subject instance
without a session. So the next call to subject.getSession() will
create a new session.
In JSecurity this used to be done in the JSecurityFilter, but that
logic has since been pushed down into the SecurityManager
implementation because it was a feature that was desired in most
application environments, and not just web applications.
Does that help answer your question?
Cheers,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
>
> I see everywhere this is the default behavior but its not working for me. I
> am assuming I did something wrong even though my app mirror's your spring
> example exactly
>
> So if I can simply ask a question;
>
> How do I enable the autoCreate after session expired using it the
> DefaultWebSecurityManager in native mode using Spring and a Swing Desktop?
> is it with a specific Filter? I seen a few posts that said JSecurityFilter
> does this but there is no more JSecurity anything and there are no examples
> that look to have such a filter
>
> Brian
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5715478.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: SessionListeners with Spring and a Swing Desktop
Posted by zooxmusic <br...@109forest.com>.
Anybody?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5731030.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SessionListeners with Spring and a Swing Desktop
Posted by zooxmusic <br...@109forest.com>.
Actually I realized that the autoCreate after the session expires is what I
want to work, I could care less about the SessionListener (but it might be
nice to see how to do that).
I see everywhere this is the default behavior but its not working for me. I
am assuming I did something wrong even though my app mirror's your spring
example exactly
So if I can simply ask a question;
How do I enable the autoCreate after session expired using it the
DefaultWebSecurityManager in native mode using Spring and a Swing Desktop?
is it with a specific Filter? I seen a few posts that said JSecurityFilter
does this but there is no more JSecurity anything and there are no examples
that look to have such a filter
Brian
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5715478.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SessionListeners with Spring and a Swing Desktop
Posted by zooxmusic <br...@109forest.com>.
Ohh,
Well, its really on the server. I only do the following on the client
System.setProperty("shiro.session.id", StringUtil.safeString(result));
This is what was suggested to me (I think by you) on the client side so that
the org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory would
have it available. This was because I actually have a swing login screen and
couldn't set the SESSION_ID on one of the jnlp arguments. That is basically
all I have that is shiro related on the client. Should I be doing more
there?
Brian
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5731169.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SessionListeners with Spring and a Swing Desktop
Posted by Les Hazlewood <lh...@apache.org>.
Ah - is the session being maintained in the client, i.e. in a desktop
application? Or is your Swing desktop app a client to the server and
the server maintains the Shiro sessions?
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Thu, Nov 11, 2010 at 7:07 PM, zooxmusic <br...@109forest.com> wrote:
>
> Thanks Les, I had a feeling it was gonna be something like that but I didn't
> know exactly how. I appreciate it.
>
> The other thing though, it doesn't seem that autoCreateSession after the
> session expires (30 min) isn't working for me. Should that be by default in
> native mode?
>
> Brian
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5731150.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: SessionListeners with Spring and a Swing Desktop
Posted by zooxmusic <br...@109forest.com>.
Thanks Les, I had a feeling it was gonna be something like that but I didn't
know exactly how. I appreciate it.
The other thing though, it doesn't seem that autoCreateSession after the
session expires (30 min) isn't working for me. Should that be by default in
native mode?
Brian
--
View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5731150.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: SessionListeners with Spring and a Swing Desktop
Posted by Les Hazlewood <lh...@apache.org>.
Hi Brian,
This should work:
<bean id="securityManager" ....>
<!-- this property will automatically enable 'native' sessions and the
native session manager: -->
<property name="sessionMode" value="native"/>
<!-- this property will set the SessionListeners on the newly created
native session manager (I think Spring allows this type of
nested property navigation): -->
<property name="sessionManager.sessionListeners">
<list>
<!-- Add your SessionListener beans here: -->
</list>
</property>
....
</bean>
The 'trick' to having this work is that when you call 'setSessionMode'
to 'native', that will trigger logic to automatically substitute the
web-default ServletContainerSessionManager with the native
DefaultWebSessionManager.
You have to set the 'sessionMode' property first in order to ensure
the substitution occurs.
This is a bit hacky as far as I'm concerned, and this should really be
cleaned up with a Builder that can do this logic in a more
deterministic manner. If you don't like the 'set this property before
the other one otherwise it will break' approach, you can use a more
explicit assignment - it's just more verbose (but safer):
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="sessionManager">
<bean class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionListeners">
<list>
<!-- SessionListener beans here: -->
</list>
</property>
</bean>
</property>
<property name="realm" ref="myRealm"/>
...
</bean>
HTH!
Best,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Sun, Nov 7, 2010 at 2:18 PM, zooxmusic <br...@109forest.com> wrote:
>
> What is the recommended way to add a session listener in a spring application
> and configuration?
>
> I've found a few posts but they are all out of date with the information yet
> only a few months old. The sessionListeners are on
> AbstractNativeSessionManager not DefaultWebSecurityManager or the other
> classes that were in the posts I've read.
>
> I would prefer to add the listener through the applicationContext if
> possible but the ini would be just fine if you can tell me how to cast in
> that format because I obviously get a classCastException if I do what the
> post said because setSessionListeners are on the
> AbstractNativeSessionManager and not DefaultWebSecurityManger
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/SessionListeners-with-Spring-and-a-Swing-Desktop-tp5715272p5715272.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>