You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shiro.apache.org by lh...@apache.org on 2009/02/17 16:24:08 UTC
svn commit: r745117 - in /incubator/jsecurity/trunk: ./ samples/quickstart/
samples/standalone/ web/src/org/jsecurity/web/
web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Author: lhazlewood
Date: Tue Feb 17 15:24:02 2009
New Revision: 745117
URL: http://svn.apache.org/viewvc?rev=745117&view=rev
Log:
removing project files for now (seeing errors in my IDE) - will re-add them after cleanup. Also added some utility methods to reduce method complexity
Removed:
incubator/jsecurity/trunk/jsecurity.iml
incubator/jsecurity/trunk/jsecurity.ipr
incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
incubator/jsecurity/trunk/samples/standalone/standalone.iml
Modified:
incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java Tue Feb 17 15:24:02 2009
@@ -75,7 +75,7 @@
this();
setRealms(realms);
}
-
+
/**
* Sets the path used to store the remember me cookie. This determines which paths
* are able to view the remember me cookie.
@@ -149,7 +149,6 @@
LifecycleUtils.destroy(getSessionManager());
WebSessionManager sessionManager = createSessionManager(mode);
setSessionManager(sessionManager);
- setSubjectFactory(new WebSubjectFactory(this, sessionManager));
}
}
Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java Tue Feb 17 15:24:02 2009
@@ -85,9 +85,14 @@
}
protected Session getWebSession() {
- ServletRequest request = WebUtils.getRequiredServletRequest();
- ServletResponse response = WebUtils.getRequiredServletResponse();
- return getWebSessionManager().getSession(request, response);
+ ServletRequest request = WebUtils.getServletRequest();
+ ServletResponse response = WebUtils.getServletResponse();
+ if ( request == null || response == null ) {
+ //no current web request - probably a remote method invocation that didn't come in via a servlet request:
+ return null;
+ } else {
+ return getWebSessionManager().getSession(request, response);
+ }
}
@Override
@@ -110,7 +115,10 @@
InetAddress inet = inetAddress;
if (inet == null) {
- inet = WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
+ ServletRequest request = WebUtils.getServletRequest();
+ if ( request != null ) {
+ inet = WebUtils.getInetAddress(request);
+ }
}
return super.createSubject(pc, session, authc, inet);
Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java Tue Feb 17 15:24:02 2009
@@ -305,6 +305,29 @@
}
/**
+ * Returns the current thread-bound {@code ServletRequest} or {@code null} if there is not one bound.
+ * <p/>
+ * It is the case in certain enterprise environments where a web-enabled SecurityManager (and its internal mechanisms)
+ * is the primary SecurityManager but also serves as a 'central' coordinator for security operations in a cluster.
+ * In these environments, it is possible for a web-enabled SecurityManager to receive remote method invocations that
+ * are not HTTP based.
+ * <p/>
+ * In these environments, we need to acquire a thread-bound ServletRequest if it exists, but
+ * not throw an exception if one is not found (with the assumption that the incoming call is not a web request but
+ * instead a remote method invocation). This method exists to support these environments, whereas the
+ * {@link #getRequiredServletRequest() getRequiredServletRequest()} method always assumes a
+ * servlet-only environment.
+ * <p/>
+ * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists for JSecurity implementation requirements only.
+ *
+ * @return the current thread-bound {@code ServletRequest} or {@code null} if there is not one bound.
+ * @since 1.0
+ */
+ public static ServletRequest getServletRequest() {
+ return (ServletRequest) ThreadContext.get(SERVLET_REQUEST_KEY);
+ }
+
+ /**
* Convenience method that simplifies retrieval of a required thread-bound ServletRequest. If there is no
* ServletRequest bound to the thread when this method is called, an <code>IllegalStateException</code> is
* thrown.
@@ -368,6 +391,29 @@
}
/**
+ * Returns the current thread-bound {@code ServletResponse} or {@code null} if there is not one bound.
+ * <p/>
+ * It is the case in certain enterprise environments where a web-enabled SecurityManager (and its internal mechanisms)
+ * is the primary SecurityManager but also serves as a 'central' coordinator for security operations in a cluster.
+ * In these environments, it is possible for a web-enabled SecurityManager to receive remote method invocations that
+ * are not HTTP based.
+ * <p/>
+ * In these environments, we need to acquire a thread-bound ServletResponse if it exists, but
+ * not throw an exception if one is not found (with the assumption that the incoming call is not a web request but
+ * instead a remote method invocation). This method exists to support these environments, whereas the
+ * {@link #getRequiredServletResponse() getRequiredServletResponse()} method always assumes a
+ * servlet-only environment.
+ * <p/>
+ * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists for JSecurity implementation requirements only.
+ *
+ * @return the current thread-bound {@code ServletResponse} or {@code null} if there is not one bound.
+ * @since 1.0
+ */
+ public static ServletResponse getServletResponse() {
+ return (ServletResponse) ThreadContext.get(SERVLET_RESPONSE_KEY);
+ }
+
+ /**
* Convenience method that simplifies retrieval of a required thread-bound ServletResponse. If there is no
* ServletResponse bound to the thread when this method is called, an <code>IllegalStateException</code> is
* thrown.
Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java Tue Feb 17 15:24:02 2009
@@ -42,21 +42,21 @@
/**
* Main ServletFilter that configures and enables all JSecurity functions within a web application.
- *
+ * <p/>
* The following is a fully commented example that documents how to configure it:
- *
+ * <p/>
* <pre><filter>
* <filter-name>JSecurityFilter</filter-name>
* <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
* <init-param><param-name>config</param-name><param-value>
- *
+ * <p/>
* #NOTE: This config looks pretty long - but its not - its only 5 lines of actual config.
* # Everything else is just heavily commented to explain things in-depth. Feel free to delete any
* # comments that you don't want to read from your own configuration ;)
* #
* # Any commented values below are JSecurity's defaults. If you want to change any values, you only
* # need to uncomment the lines you want to change.
- *
+ * <p/>
* [main]
* # The 'main' section defines JSecurity-wide configuration.
* #
@@ -69,7 +69,7 @@
* #
* #securityManager = {@link org.jsecurity.web.DefaultWebSecurityManager org.jsecurity.web.DefaultWebSecurityManager}
* #securityManager.{@link org.jsecurity.web.DefaultWebSecurityManager#setSessionMode(String) sessionMode} = http
- *
+ * <p/>
* [filters]
* # This section defines the 'pool' of all Filters available to the url path definitions in the [urls] section below.
* #
@@ -112,7 +112,7 @@
* #
* # Define your own filters here. To properly handle url path matching (see the [urls] section below), your
* # filter should extend the {@link org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter} abstract class.
- *
+ * <p/>
* [urls]
* # This section defines url path mappings. Each mapping entry must be on a single line and conform to the
* # following representation:
@@ -158,14 +158,14 @@
* # the text between the brackets as two permissions: 'remote:invoke:lan' and 'wan' instead of the
* # single desired 'remote:invoke:lan,wan' token. So, you can use quotes wherever you need to escape internal
* # commas.)
- *
+ * <p/>
* /account/** = <a href="#authcBasic">authcBasic</a>
* /remoting/** = <a href="#authcBasic">authcBasic</a>, <a href="#roles">roles</a>[b2bClient], <a href="#perms">perms</a>[remote:invoke:"lan,wan"]
- *
+ * <p/>
* </param-value></init-param>
* </filter>
- *
- *
+ * <p/>
+ * <p/>
* <filter-mapping>
* <filter-name>JSecurityFilter</filter-name>
* <url-pattern>/*</url-pattern>
@@ -185,7 +185,7 @@
public static final String CONFIG_INIT_PARAM_NAME = "config";
public static final String CONFIG_URL_INIT_PARAM_NAME = "configUrl";
- private static final Log log = LogFactory.getLog(JSecurityFilter.class);
+ private static final Log log = LogFactory.getLog(JSecurityFilter.class);
protected String config;
protected String configUrl;
@@ -238,7 +238,7 @@
if (sm == null) {
if (log.isInfoEnabled()) {
log.info("Configuration instance [" + config + "] did not provide a SecurityManager. No config " +
- "specified? Defaulting to a " + DefaultWebSecurityManager.class.getName() + " instance...");
+ "specified? Defaulting to a " + DefaultWebSecurityManager.class.getName() + " instance...");
}
sm = new DefaultWebSecurityManager();
}
@@ -255,8 +255,8 @@
this.configClassName = configCN;
} else {
String msg = "configClassName fully qualified class name value [" + configCN + "] is not " +
- "available in the classpath. Please ensure you have typed it correctly and the " +
- "corresponding class or jar is in the classpath.";
+ "available in the classpath. Please ensure you have typed it correctly and the " +
+ "corresponding class or jar is in the classpath.";
throw new ConfigurationException(msg);
}
}
@@ -277,7 +277,7 @@
protected void applyFilterConfig(WebConfiguration conf) {
if (log.isDebugEnabled()) {
String msg = "Attempting to inject the FilterConfig (using 'setFilterConfig' method) into the " +
- "instantiated WebConfiguration for any wrapped Filter initialization...";
+ "instantiated WebConfiguration for any wrapped Filter initialization...";
log.debug(msg);
}
try {
@@ -301,9 +301,9 @@
PropertyUtils.setProperty(conf, "config", this.config);
} else {
String msg = "The 'config' filter param was specified, but there is no " +
- "'setConfig(String)' method on the Configuration instance [" + conf + "]. If you do " +
- "not require the 'config' filter param, please comment it out, or if you do need it, " +
- "please ensure your Configuration instance has a 'setConfig(String)' method to receive it.";
+ "'setConfig(String)' method on the Configuration instance [" + conf + "]. If you do " +
+ "not require the 'config' filter param, please comment it out, or if you do need it, " +
+ "please ensure your Configuration instance has a 'setConfig(String)' method to receive it.";
throw new ConfigurationException(msg);
}
} catch (Exception e) {
@@ -322,9 +322,9 @@
PropertyUtils.setProperty(conf, "configUrl", this.configUrl);
} else {
String msg = "The 'configUrl' filter param was specified, but there is no " +
- "'setConfigUrl(String)' method on the Configuration instance [" + conf + "]. If you do " +
- "not require the 'configUrl' filter param, please comment it out, or if you do need it, " +
- "please ensure your Configuration instance has a 'setConfigUrl(String)' method to receive it.";
+ "'setConfigUrl(String)' method on the Configuration instance [" + conf + "]. If you do " +
+ "not require the 'configUrl' filter param, please comment it out, or if you do need it, " +
+ "please ensure your Configuration instance has a 'setConfigUrl(String)' method to receive it.";
throw new ConfigurationException(msg);
}
} catch (Exception e) {
@@ -347,26 +347,69 @@
return WebUtils.getInetAddress(request);
}
- protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse,
- FilterChain origChain) throws ServletException, IOException {
+ /**
+ * Wraps the original HttpServletRequest in a {@link JSecurityHttpServletRequest}
+ * @since 1.0
+ */
+ protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
+ return new JSecurityHttpServletRequest(orig, getServletContext(), isHttpSessions());
+ }
- HttpServletRequest request = (HttpServletRequest) servletRequest;
- HttpServletResponse response = (HttpServletResponse) servletResponse;
+ /** @since 1.0 */
+ protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response,
+ FilterChain chain) {
+ ServletRequest toUse = request;
+ if (request instanceof HttpServletRequest) {
+ HttpServletRequest http = (HttpServletRequest) request;
+ toUse = wrapServletRequest(http);
+ }
+ return toUse;
+ }
- ThreadContext.bind(getInetAddress(request));
+ /** @since 1.0 */
+ protected ServletResponse wrapServletResponse(HttpServletResponse orig, JSecurityHttpServletRequest request) {
+ return new JSecurityHttpServletResponse(orig, getServletContext(), request);
+ }
- boolean httpSessions = isHttpSessions();
- request = new JSecurityHttpServletRequest(request, getServletContext(), httpSessions);
- if (!httpSessions) {
+ /** @since 1.0 */
+ protected ServletResponse prepareServletResponse(ServletRequest request, ServletResponse response,
+ FilterChain chain) {
+ ServletResponse toUse = response;
+ if (isHttpSessions() && (request instanceof JSecurityHttpServletRequest) &&
+ (response instanceof HttpServletResponse)) {
//the JSecurityHttpServletResponse exists to support URL rewriting for session ids. This is only needed if
//using JSecurity sessions (i.e. not simple HttpSession based sessions):
- response = new JSecurityHttpServletResponse(response, getServletContext(), (JSecurityHttpServletRequest) request);
+ toUse = wrapServletResponse((HttpServletResponse) response, (JSecurityHttpServletRequest) request);
}
+ return toUse;
+ }
+ /** @since 1.0 */
+ protected void bind(ServletRequest request, ServletResponse response) {
+ WebUtils.bindInetAddressToThread(request);
WebUtils.bind(request);
WebUtils.bind(response);
ThreadContext.bind(getSecurityManager());
ThreadContext.bind(getSecurityManager().getSubject());
+ }
+
+ /** @since 1.0 */
+ protected void unbind(ServletRequest request, ServletResponse response) {
+ //arguments ignored, just clear the thread:
+ ThreadContext.unbindSubject();
+ ThreadContext.unbindSecurityManager();
+ WebUtils.unbindServletResponse();
+ WebUtils.unbindServletRequest();
+ ThreadContext.unbindInetAddress();
+ }
+
+ protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse,
+ FilterChain origChain) throws ServletException, IOException {
+
+ ServletRequest request = prepareServletRequest(servletRequest, servletResponse, origChain);
+ ServletResponse response = prepareServletResponse(request, servletResponse, origChain);
+
+ bind(request, response);
FilterChain chain = getConfiguration().getChain(request, response, origChain);
if (chain == null) {
@@ -383,11 +426,7 @@
try {
chain.doFilter(request, response);
} finally {
- ThreadContext.unbindSubject();
- ThreadContext.unbindSecurityManager();
- WebUtils.unbindServletResponse();
- WebUtils.unbindServletRequest();
- ThreadContext.unbindInetAddress();
+ unbind(request, response);
}
}
Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
==============================================================================
--- incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java (original)
+++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java Tue Feb 17 15:24:02 2009
@@ -229,7 +229,8 @@
return sessionId;
}
- public Session retrieveSession(Serializable sessionId) throws InvalidSessionException, AuthorizationException {
+ @Override
+ protected Session retrieveSession(Serializable sessionId) throws InvalidSessionException, AuthorizationException {
if (sessionId != null) {
return super.retrieveSession(sessionId);
} else {
Re: svn commit: r745117 - in /incubator/jsecurity/trunk: ./
samples/quickstart/ samples/standalone/ web/src/org/jsecurity/web/
web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Posted by Les Hazlewood <lh...@apache.org>.
Yep, I've been using it in 8 - its really great! Much better than before :)
On Wed, Feb 18, 2009 at 1:03 AM, David O'Flynn <do...@atlassian.com>wrote:
> We've found some issues with that for larger products.
>
> IDEA's mvn integration has gotten a lot better in v8. You can open the
> pom.xml directly from IDEA, and IDEA is also happy to use mvn for building
> the project too.
>
>
>
>
> On 18/02/2009, at 4:20 PM, Alan D. Cabrera wrote:
>
> Easy enough to fix:
>>
>> mvn idea:idea
>>
>>
>> :D
>>
>>
>> Regards,
>> Alan
>>
>> On Feb 17, 2009, at 7:43 AM, Les Hazlewood wrote:
>>
>> This was a result of me hosing something with my own installation that I
>>> didn't understand. The easiest thing to do was to remove and replace
>>> once I
>>> got it up and running - I didn't want to waste time investigating how I
>>> broke it. This is the first time I've seen this issue in 4 years, and
>>> odds
>>> are very high it is because of user error :)
>>>
>>> On Tue, Feb 17, 2009 at 10:29 AM, Emmanuel Lecharny <
>>> elecharny@apache.org>wrote:
>>>
>>> I don't get it ...
>>>>
>>>> Either the project files are a (temporarily) hassle, and then you just
>>>> need to remove them completely, and you don't have to inject them back
>>>> (remind me a previous convo ;), or you keep them in svn, add some
>>>> svn:ignore flags locally and remove them from your disk, and when they
>>>> are fixed, you remove the svn:ignore property. That should do the
>>>> trick, IMO?
>>>>
>>>> On Tue, Feb 17, 2009 at 4:24 PM, <lh...@apache.org> wrote:
>>>>
>>>>> Author: lhazlewood
>>>>> Date: Tue Feb 17 15:24:02 2009
>>>>> New Revision: 745117
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=745117&view=rev
>>>>> Log:
>>>>> removing project files for now (seeing errors in my IDE) - will re-add
>>>>>
>>>> them after cleanup. Also added some utility methods to reduce method
>>>> complexity
>>>>
>>>>>
>>>>> Removed:
>>>>> incubator/jsecurity/trunk/jsecurity.iml
>>>>> incubator/jsecurity/trunk/jsecurity.ipr
>>>>> incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
>>>>> incubator/jsecurity/trunk/samples/standalone/standalone.iml
>>>>> Modified:
>>>>>
>>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
>>>>
>>>>>
>>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
>>>>
>>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>>>
>>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
>>>>
>>>>>
>>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
>>>>
>>>>>
>>>>> Modified:
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
>>>>
>>>>> URL:
>>>>>
>>>>
>>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>>>>
>>>>> ==============================================================================
>>>>
>>>>> ---
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
>>>> (original)
>>>>
>>>>> +++
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
>>>> Tue Feb 17 15:24:02 2009
>>>>
>>>>> @@ -75,7 +75,7 @@
>>>>> this();
>>>>> setRealms(realms);
>>>>> }
>>>>> -
>>>>> +
>>>>> /**
>>>>> * Sets the path used to store the remember me cookie. This
>>>>>
>>>> determines which paths
>>>>
>>>>> * are able to view the remember me cookie.
>>>>> @@ -149,7 +149,6 @@
>>>>> LifecycleUtils.destroy(getSessionManager());
>>>>> WebSessionManager sessionManager =
>>>>>
>>>> createSessionManager(mode);
>>>>
>>>>> setSessionManager(sessionManager);
>>>>> - setSubjectFactory(new WebSubjectFactory(this,
>>>>>
>>>> sessionManager));
>>>>
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> Modified:
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
>>>>
>>>>> URL:
>>>>>
>>>>
>>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>>>>
>>>>> ==============================================================================
>>>>
>>>>> ---
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
>>>> (original)
>>>>
>>>>> +++
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
>>>> Tue Feb 17 15:24:02 2009
>>>>
>>>>> @@ -85,9 +85,14 @@
>>>>> }
>>>>>
>>>>> protected Session getWebSession() {
>>>>> - ServletRequest request = WebUtils.getRequiredServletRequest();
>>>>> - ServletResponse response =
>>>>>
>>>> WebUtils.getRequiredServletResponse();
>>>>
>>>>> - return getWebSessionManager().getSession(request, response);
>>>>> + ServletRequest request = WebUtils.getServletRequest();
>>>>> + ServletResponse response = WebUtils.getServletResponse();
>>>>> + if ( request == null || response == null ) {
>>>>> + //no current web request - probably a remote method
>>>>>
>>>> invocation that didn't come in via a servlet request:
>>>>
>>>>> + return null;
>>>>> + } else {
>>>>> + return getWebSessionManager().getSession(request,
>>>>> response);
>>>>> + }
>>>>> }
>>>>>
>>>>> @Override
>>>>> @@ -110,7 +115,10 @@
>>>>>
>>>>> InetAddress inet = inetAddress;
>>>>> if (inet == null) {
>>>>> - inet =
>>>>>
>>>> WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
>>>>
>>>>> + ServletRequest request = WebUtils.getServletRequest();
>>>>> + if ( request != null ) {
>>>>> + inet = WebUtils.getInetAddress(request);
>>>>> + }
>>>>> }
>>>>>
>>>>> return super.createSubject(pc, session, authc, inet);
>>>>>
>>>>> Modified:
>>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>>
>>>>> URL:
>>>>>
>>>>
>>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>>>>
>>>>> ==============================================================================
>>>>
>>>>> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>>>
>>>> (original)
>>>>
>>>>> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>>> Tue
>>>>>
>>>> Feb 17 15:24:02 2009
>>>>
>>>>> @@ -305,6 +305,29 @@
>>>>> }
>>>>>
>>>>> /**
>>>>> + * Returns the current thread-bound {@code ServletRequest} or
>>>>> {@code
>>>>>
>>>> null} if there is not one bound.
>>>>
>>>>> + * <p/>
>>>>> + * It is the case in certain enterprise environments where a
>>>>>
>>>> web-enabled SecurityManager (and its internal mechanisms)
>>>>
>>>>> + * is the primary SecurityManager but also serves as a 'central'
>>>>>
>>>> coordinator for security operations in a cluster.
>>>>
>>>>> + * In these environments, it is possible for a web-enabled
>>>>>
>>>> SecurityManager to receive remote method invocations that
>>>>
>>>>> + * are not HTTP based.
>>>>> + * <p/>
>>>>> + * In these environments, we need to acquire a thread-bound
>>>>>
>>>> ServletRequest if it exists, but
>>>>
>>>>> + * not throw an exception if one is not found (with the assumption
>>>>>
>>>> that the incoming call is not a web request but
>>>>
>>>>> + * instead a remote method invocation). This method exists to
>>>>>
>>>> support these environments, whereas the
>>>>
>>>>> + * {@link #getRequiredServletRequest()
>>>>> getRequiredServletRequest()}
>>>>>
>>>> method always assumes a
>>>>
>>>>> + * servlet-only environment.
>>>>> + * <p/>
>>>>> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists
>>>>> for
>>>>>
>>>> JSecurity implementation requirements only.
>>>>
>>>>> + *
>>>>> + * @return the current thread-bound {@code ServletRequest} or
>>>>> {@code
>>>>>
>>>> null} if there is not one bound.
>>>>
>>>>> + * @since 1.0
>>>>> + */
>>>>> + public static ServletRequest getServletRequest() {
>>>>> + return (ServletRequest)
>>>>> ThreadContext.get(SERVLET_REQUEST_KEY);
>>>>> + }
>>>>> +
>>>>> + /**
>>>>> * Convenience method that simplifies retrieval of a required
>>>>>
>>>> thread-bound ServletRequest. If there is no
>>>>
>>>>> * ServletRequest bound to the thread when this method is called, an
>>>>>
>>>> <code>IllegalStateException</code> is
>>>>
>>>>> * thrown.
>>>>> @@ -368,6 +391,29 @@
>>>>> }
>>>>>
>>>>> /**
>>>>> + * Returns the current thread-bound {@code ServletResponse} or
>>>>>
>>>> {@code null} if there is not one bound.
>>>>
>>>>> + * <p/>
>>>>> + * It is the case in certain enterprise environments where a
>>>>>
>>>> web-enabled SecurityManager (and its internal mechanisms)
>>>>
>>>>> + * is the primary SecurityManager but also serves as a 'central'
>>>>>
>>>> coordinator for security operations in a cluster.
>>>>
>>>>> + * In these environments, it is possible for a web-enabled
>>>>>
>>>> SecurityManager to receive remote method invocations that
>>>>
>>>>> + * are not HTTP based.
>>>>> + * <p/>
>>>>> + * In these environments, we need to acquire a thread-bound
>>>>>
>>>> ServletResponse if it exists, but
>>>>
>>>>> + * not throw an exception if one is not found (with the assumption
>>>>>
>>>> that the incoming call is not a web request but
>>>>
>>>>> + * instead a remote method invocation). This method exists to
>>>>>
>>>> support these environments, whereas the
>>>>
>>>>> + * {@link #getRequiredServletResponse()
>>>>>
>>>> getRequiredServletResponse()} method always assumes a
>>>>
>>>>> + * servlet-only environment.
>>>>> + * <p/>
>>>>> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists
>>>>> for
>>>>>
>>>> JSecurity implementation requirements only.
>>>>
>>>>> + *
>>>>> + * @return the current thread-bound {@code ServletResponse} or
>>>>>
>>>> {@code null} if there is not one bound.
>>>>
>>>>> + * @since 1.0
>>>>> + */
>>>>> + public static ServletResponse getServletResponse() {
>>>>> + return (ServletResponse)
>>>>>
>>>> ThreadContext.get(SERVLET_RESPONSE_KEY);
>>>>
>>>>> + }
>>>>> +
>>>>> + /**
>>>>> * Convenience method that simplifies retrieval of a required
>>>>>
>>>> thread-bound ServletResponse. If there is no
>>>>
>>>>> * ServletResponse bound to the thread when this method is called, an
>>>>>
>>>> <code>IllegalStateException</code> is
>>>>
>>>>> * thrown.
>>>>>
>>>>> Modified:
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
>>>>
>>>>> URL:
>>>>>
>>>>
>>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>>>>
>>>>> ==============================================================================
>>>>
>>>>> ---
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
>>>> (original)
>>>>
>>>>> +++
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
>>>> Tue Feb 17 15:24:02 2009
>>>>
>>>>> @@ -42,21 +42,21 @@
>>>>>
>>>>> /**
>>>>> * Main ServletFilter that configures and enables all JSecurity
>>>>> functions
>>>>>
>>>> within a web application.
>>>>
>>>>> - *
>>>>> + * <p/>
>>>>> * The following is a fully commented example that documents how to
>>>>>
>>>> configure it:
>>>>
>>>>> - *
>>>>> + * <p/>
>>>>> * <pre><filter>
>>>>> * <filter-name>JSecurityFilter</filter-name>
>>>>> *
>>>>>
>>>>
>>>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>>>>
>>>>> *
>>>>>
>>>>
>>>> <init-param><param-name>config</param-name><param-value>
>>>>
>>>>> - *
>>>>> + * <p/>
>>>>> * #NOTE: This config looks pretty long - but its not - its only 5
>>>>> lines
>>>>>
>>>> of actual config.
>>>>
>>>>> * # Everything else is just heavily commented to explain things
>>>>>
>>>> in-depth. Feel free to delete any
>>>>
>>>>> * # comments that you don't want to read from your own
>>>>>
>>>> configuration ;)
>>>>
>>>>> * #
>>>>> * # Any commented values below are JSecurity's defaults. If you want
>>>>> to
>>>>>
>>>> change any values, you only
>>>>
>>>>> * # need to uncomment the lines you want to change.
>>>>> - *
>>>>> + * <p/>
>>>>> * [main]
>>>>> * # The 'main' section defines JSecurity-wide configuration.
>>>>> * #
>>>>> @@ -69,7 +69,7 @@
>>>>> * #
>>>>> * #securityManager = {@link org.jsecurity.web.DefaultWebSecurityManager
>>>>>
>>>> org.jsecurity.web.DefaultWebSecurityManager}
>>>>
>>>>> * #securityManager.{@linkorg.jsecurity.web.DefaultWebSecurityManager
>>>>> #setSessionMode(String)
>>>>>
>>>> sessionMode} = http
>>>>
>>>>> - *
>>>>> + * <p/>
>>>>> * [filters]
>>>>> * # This section defines the 'pool' of all Filters available to the url
>>>>>
>>>> path definitions in the [urls] section below.
>>>>
>>>>> * #
>>>>> @@ -112,7 +112,7 @@
>>>>> * #
>>>>> * # Define your own filters here. To properly handle url path matching
>>>>>
>>>> (see the [urls] section below), your
>>>>
>>>>> * # filter should extend the {@link
>>>>>
>>>> org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter} abstract
>>>> class.
>>>>
>>>>> - *
>>>>> + * <p/>
>>>>> * [urls]
>>>>> * # This section defines url path mappings. Each mapping entry must be
>>>>>
>>>> on a single line and conform to the
>>>>
>>>>> * # following representation:
>>>>> @@ -158,14 +158,14 @@
>>>>> * # the text between the brackets as two permissions:
>>>>>
>>>> 'remote:invoke:lan' and 'wan' instead of the
>>>>
>>>>> * # single desired 'remote:invoke:lan,wan' token. So, you can use
>>>>>
>>>> quotes wherever you need to escape internal
>>>>
>>>>> * # commas.)
>>>>> - *
>>>>> + * <p/>
>>>>> * /account/** = <a href="#authcBasic">authcBasic</a>
>>>>> * /remoting/** = <a href="#authcBasic">authcBasic</a>, <a
>>>>>
>>>> href="#roles">roles</a>[b2bClient], <a
>>>> href="#perms">perms</a>[remote:invoke:"lan,wan"]
>>>>
>>>>> - *
>>>>> + * <p/>
>>>>> * </param-value></init-param>
>>>>> * </filter>
>>>>> - *
>>>>> - *
>>>>> + * <p/>
>>>>> + * <p/>
>>>>> * <filter-mapping>
>>>>> * <filter-name>JSecurityFilter</filter-name>
>>>>> * <url-pattern>/*</url-pattern>
>>>>> @@ -185,7 +185,7 @@
>>>>> public static final String CONFIG_INIT_PARAM_NAME = "config";
>>>>> public static final String CONFIG_URL_INIT_PARAM_NAME = "configUrl";
>>>>>
>>>>> - private static final Log log =
>>>>>
>>>> LogFactory.getLog(JSecurityFilter.class);
>>>>
>>>>> + private static final Log log =
>>>>>
>>>> LogFactory.getLog(JSecurityFilter.class);
>>>>
>>>>>
>>>>> protected String config;
>>>>> protected String configUrl;
>>>>> @@ -238,7 +238,7 @@
>>>>> if (sm == null) {
>>>>> if (log.isInfoEnabled()) {
>>>>> log.info("Configuration instance [" + config + "] did
>>>>>
>>>> not provide a SecurityManager. No config " +
>>>>
>>>>> - "specified? Defaulting to a " +
>>>>>
>>>> DefaultWebSecurityManager.class.getName() + " instance...");
>>>>
>>>>> + "specified? Defaulting to a " +
>>>>>
>>>> DefaultWebSecurityManager.class.getName() + " instance...");
>>>>
>>>>> }
>>>>> sm = new DefaultWebSecurityManager();
>>>>> }
>>>>> @@ -255,8 +255,8 @@
>>>>> this.configClassName = configCN;
>>>>> } else {
>>>>> String msg = "configClassName fully qualified class name
>>>>>
>>>> value [" + configCN + "] is not " +
>>>>
>>>>> - "available in the classpath. Please ensure
>>>>> you
>>>>>
>>>> have typed it correctly and the " +
>>>>
>>>>> - "corresponding class or jar is in the
>>>>>
>>>> classpath.";
>>>>
>>>>> + "available in the classpath. Please ensure you
>>>>> have
>>>>>
>>>> typed it correctly and the " +
>>>>
>>>>> + "corresponding class or jar is in the classpath.";
>>>>> throw new ConfigurationException(msg);
>>>>> }
>>>>> }
>>>>> @@ -277,7 +277,7 @@
>>>>> protected void applyFilterConfig(WebConfiguration conf) {
>>>>> if (log.isDebugEnabled()) {
>>>>> String msg = "Attempting to inject the FilterConfig (using
>>>>>
>>>> 'setFilterConfig' method) into the " +
>>>>
>>>>> - "instantiated WebConfiguration for any wrapped
>>>>>
>>>> Filter initialization...";
>>>>
>>>>> + "instantiated WebConfiguration for any wrapped Filter
>>>>>
>>>> initialization...";
>>>>
>>>>> log.debug(msg);
>>>>> }
>>>>> try {
>>>>> @@ -301,9 +301,9 @@
>>>>> PropertyUtils.setProperty(conf, "config",
>>>>>
>>>> this.config);
>>>>
>>>>> } else {
>>>>> String msg = "The 'config' filter param was
>>>>>
>>>> specified, but there is no " +
>>>>
>>>>> - "'setConfig(String)' method on the
>>>>>
>>>> Configuration instance [" + conf + "]. If you do " +
>>>>
>>>>> - "not require the 'config' filter param,
>>>>>
>>>> please comment it out, or if you do need it, " +
>>>>
>>>>> - "please ensure your Configuration instance
>>>>>
>>>> has a 'setConfig(String)' method to receive it.";
>>>>
>>>>> + "'setConfig(String)' method on the
>>>>> Configuration
>>>>>
>>>> instance [" + conf + "]. If you do " +
>>>>
>>>>> + "not require the 'config' filter param, please
>>>>>
>>>> comment it out, or if you do need it, " +
>>>>
>>>>> + "please ensure your Configuration instance has
>>>>> a
>>>>>
>>>> 'setConfig(String)' method to receive it.";
>>>>
>>>>> throw new ConfigurationException(msg);
>>>>> }
>>>>> } catch (Exception e) {
>>>>> @@ -322,9 +322,9 @@
>>>>> PropertyUtils.setProperty(conf, "configUrl",
>>>>>
>>>> this.configUrl);
>>>>
>>>>> } else {
>>>>> String msg = "The 'configUrl' filter param was
>>>>>
>>>> specified, but there is no " +
>>>>
>>>>> - "'setConfigUrl(String)' method on the
>>>>>
>>>> Configuration instance [" + conf + "]. If you do " +
>>>>
>>>>> - "not require the 'configUrl' filter param,
>>>>>
>>>> please comment it out, or if you do need it, " +
>>>>
>>>>> - "please ensure your Configuration instance
>>>>>
>>>> has a 'setConfigUrl(String)' method to receive it.";
>>>>
>>>>> + "'setConfigUrl(String)' method on the
>>>>>
>>>> Configuration instance [" + conf + "]. If you do " +
>>>>
>>>>> + "not require the 'configUrl' filter param,
>>>>>
>>>> please comment it out, or if you do need it, " +
>>>>
>>>>> + "please ensure your Configuration instance has
>>>>> a
>>>>>
>>>> 'setConfigUrl(String)' method to receive it.";
>>>>
>>>>> throw new ConfigurationException(msg);
>>>>> }
>>>>> } catch (Exception e) {
>>>>> @@ -347,26 +347,69 @@
>>>>> return WebUtils.getInetAddress(request);
>>>>> }
>>>>>
>>>>> - protected void doFilterInternal(ServletRequest servletRequest,
>>>>>
>>>> ServletResponse servletResponse,
>>>>
>>>>> - FilterChain origChain) throws
>>>>>
>>>> ServletException, IOException {
>>>>
>>>>> + /**
>>>>> + * Wraps the original HttpServletRequest in a {@link
>>>>>
>>>> JSecurityHttpServletRequest}
>>>>
>>>>> + * @since 1.0
>>>>> + */
>>>>> + protected ServletRequest wrapServletRequest(HttpServletRequest
>>>>> orig)
>>>>>
>>>> {
>>>>
>>>>> + return new JSecurityHttpServletRequest(orig,
>>>>>
>>>> getServletContext(), isHttpSessions());
>>>>
>>>>> + }
>>>>>
>>>>> - HttpServletRequest request = (HttpServletRequest)
>>>>>
>>>> servletRequest;
>>>>
>>>>> - HttpServletResponse response = (HttpServletResponse)
>>>>>
>>>> servletResponse;
>>>>
>>>>> + /** @since 1.0 */
>>>>> + protected ServletRequest prepareServletRequest(ServletRequest
>>>>>
>>>> request, ServletResponse response,
>>>>
>>>>> + FilterChain chain)
>>>>> {
>>>>> + ServletRequest toUse = request;
>>>>> + if (request instanceof HttpServletRequest) {
>>>>> + HttpServletRequest http = (HttpServletRequest) request;
>>>>> + toUse = wrapServletRequest(http);
>>>>> + }
>>>>> + return toUse;
>>>>> + }
>>>>>
>>>>> - ThreadContext.bind(getInetAddress(request));
>>>>> + /** @since 1.0 */
>>>>> + protected ServletResponse wrapServletResponse(HttpServletResponse
>>>>>
>>>> orig, JSecurityHttpServletRequest request) {
>>>>
>>>>> + return new JSecurityHttpServletResponse(orig,
>>>>>
>>>> getServletContext(), request);
>>>>
>>>>> + }
>>>>>
>>>>> - boolean httpSessions = isHttpSessions();
>>>>> - request = new JSecurityHttpServletRequest(request,
>>>>>
>>>> getServletContext(), httpSessions);
>>>>
>>>>> - if (!httpSessions) {
>>>>> + /** @since 1.0 */
>>>>> + protected ServletResponse prepareServletResponse(ServletRequest
>>>>>
>>>> request, ServletResponse response,
>>>>
>>>>> + FilterChain
>>>>> chain)
>>>>>
>>>> {
>>>>
>>>>> + ServletResponse toUse = response;
>>>>> + if (isHttpSessions() && (request instanceof
>>>>>
>>>> JSecurityHttpServletRequest) &&
>>>>
>>>>> + (response instanceof HttpServletResponse)) {
>>>>> //the JSecurityHttpServletResponse exists to support URL
>>>>>
>>>> rewriting for session ids. This is only needed if
>>>>
>>>>> //using JSecurity sessions (i.e. not simple HttpSession based
>>>>>
>>>> sessions):
>>>>
>>>>> - response = new JSecurityHttpServletResponse(response,
>>>>>
>>>> getServletContext(), (JSecurityHttpServletRequest) request);
>>>>
>>>>> + toUse = wrapServletResponse((HttpServletResponse)
>>>>> response,
>>>>>
>>>> (JSecurityHttpServletRequest) request);
>>>>
>>>>> }
>>>>> + return toUse;
>>>>> + }
>>>>>
>>>>> + /** @since 1.0 */
>>>>> + protected void bind(ServletRequest request, ServletResponse
>>>>>
>>>> response) {
>>>>
>>>>> + WebUtils.bindInetAddressToThread(request);
>>>>> WebUtils.bind(request);
>>>>> WebUtils.bind(response);
>>>>> ThreadContext.bind(getSecurityManager());
>>>>> ThreadContext.bind(getSecurityManager().getSubject());
>>>>> + }
>>>>> +
>>>>> + /** @since 1.0 */
>>>>> + protected void unbind(ServletRequest request, ServletResponse
>>>>>
>>>> response) {
>>>>
>>>>> + //arguments ignored, just clear the thread:
>>>>> + ThreadContext.unbindSubject();
>>>>> + ThreadContext.unbindSecurityManager();
>>>>> + WebUtils.unbindServletResponse();
>>>>> + WebUtils.unbindServletRequest();
>>>>> + ThreadContext.unbindInetAddress();
>>>>> + }
>>>>> +
>>>>> + protected void doFilterInternal(ServletRequest servletRequest,
>>>>>
>>>> ServletResponse servletResponse,
>>>>
>>>>> + FilterChain origChain) throws
>>>>>
>>>> ServletException, IOException {
>>>>
>>>>> +
>>>>> + ServletRequest request = prepareServletRequest(servletRequest,
>>>>>
>>>> servletResponse, origChain);
>>>>
>>>>> + ServletResponse response = prepareServletResponse(request,
>>>>>
>>>> servletResponse, origChain);
>>>>
>>>>> +
>>>>> + bind(request, response);
>>>>>
>>>>> FilterChain chain = getConfiguration().getChain(request,
>>>>>
>>>> response, origChain);
>>>>
>>>>> if (chain == null) {
>>>>> @@ -383,11 +426,7 @@
>>>>> try {
>>>>> chain.doFilter(request, response);
>>>>> } finally {
>>>>> - ThreadContext.unbindSubject();
>>>>> - ThreadContext.unbindSecurityManager();
>>>>> - WebUtils.unbindServletResponse();
>>>>> - WebUtils.unbindServletRequest();
>>>>> - ThreadContext.unbindInetAddress();
>>>>> + unbind(request, response);
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> Modified:
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
>>>>
>>>>> URL:
>>>>>
>>>>
>>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>>>>
>>>>> ==============================================================================
>>>>
>>>>> ---
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
>>>> (original)
>>>>
>>>>> +++
>>>>>
>>>>
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
>>>> Tue Feb 17 15:24:02 2009
>>>>
>>>>> @@ -229,7 +229,8 @@
>>>>> return sessionId;
>>>>> }
>>>>>
>>>>> - public Session retrieveSession(Serializable sessionId) throws
>>>>>
>>>> InvalidSessionException, AuthorizationException {
>>>>
>>>>> + @Override
>>>>> + protected Session retrieveSession(Serializable sessionId) throws
>>>>>
>>>> InvalidSessionException, AuthorizationException {
>>>>
>>>>> if (sessionId != null) {
>>>>> return super.retrieveSession(sessionId);
>>>>> } else {
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Cordialement,
>>>> Emmanuel Lécharny
>>>> www.iktek.com
>>>>
>>>>
>>
>
Re: svn commit: r745117 - in /incubator/jsecurity/trunk: ./ samples/quickstart/ samples/standalone/ web/src/org/jsecurity/web/ web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Posted by David O'Flynn <do...@atlassian.com>.
We've found some issues with that for larger products.
IDEA's mvn integration has gotten a lot better in v8. You can open the
pom.xml directly from IDEA, and IDEA is also happy to use mvn for
building the project too.
On 18/02/2009, at 4:20 PM, Alan D. Cabrera wrote:
> Easy enough to fix:
>
> mvn idea:idea
>
>
> :D
>
>
> Regards,
> Alan
>
> On Feb 17, 2009, at 7:43 AM, Les Hazlewood wrote:
>
>> This was a result of me hosing something with my own installation
>> that I
>> didn't understand. The easiest thing to do was to remove and
>> replace once I
>> got it up and running - I didn't want to waste time investigating
>> how I
>> broke it. This is the first time I've seen this issue in 4 years,
>> and odds
>> are very high it is because of user error :)
>>
>> On Tue, Feb 17, 2009 at 10:29 AM, Emmanuel Lecharny <elecharny@apache.org
>> >wrote:
>>
>>> I don't get it ...
>>>
>>> Either the project files are a (temporarily) hassle, and then you
>>> just
>>> need to remove them completely, and you don't have to inject them
>>> back
>>> (remind me a previous convo ;), or you keep them in svn, add some
>>> svn:ignore flags locally and remove them from your disk, and when
>>> they
>>> are fixed, you remove the svn:ignore property. That should do the
>>> trick, IMO?
>>>
>>> On Tue, Feb 17, 2009 at 4:24 PM, <lh...@apache.org> wrote:
>>>> Author: lhazlewood
>>>> Date: Tue Feb 17 15:24:02 2009
>>>> New Revision: 745117
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=745117&view=rev
>>>> Log:
>>>> removing project files for now (seeing errors in my IDE) - will
>>>> re-add
>>> them after cleanup. Also added some utility methods to reduce
>>> method
>>> complexity
>>>>
>>>> Removed:
>>>> incubator/jsecurity/trunk/jsecurity.iml
>>>> incubator/jsecurity/trunk/jsecurity.ipr
>>>> incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
>>>> incubator/jsecurity/trunk/samples/standalone/standalone.iml
>>>> Modified:
>>>>
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> DefaultWebSecurityManager.java
>>>>
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> WebSubjectFactory.java
>>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>>
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>>> JSecurityFilter.java
>>>>
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>>> DefaultWebSessionManager.java
>>>>
>>>> Modified:
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> DefaultWebSecurityManager.java
>>>> URL:
>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>>> ---
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> DefaultWebSecurityManager.java
>>> (original)
>>>> +++
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> DefaultWebSecurityManager.java
>>> Tue Feb 17 15:24:02 2009
>>>> @@ -75,7 +75,7 @@
>>>> this();
>>>> setRealms(realms);
>>>> }
>>>> -
>>>> +
>>>> /**
>>>> * Sets the path used to store the remember me cookie. This
>>> determines which paths
>>>> * are able to view the remember me cookie.
>>>> @@ -149,7 +149,6 @@
>>>> LifecycleUtils.destroy(getSessionManager());
>>>> WebSessionManager sessionManager =
>>> createSessionManager(mode);
>>>> setSessionManager(sessionManager);
>>>> - setSubjectFactory(new WebSubjectFactory(this,
>>> sessionManager));
>>>> }
>>>> }
>>>>
>>>>
>>>> Modified:
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> WebSubjectFactory.java
>>>> URL:
>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>>> ---
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> WebSubjectFactory.java
>>> (original)
>>>> +++
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> WebSubjectFactory.java
>>> Tue Feb 17 15:24:02 2009
>>>> @@ -85,9 +85,14 @@
>>>> }
>>>>
>>>> protected Session getWebSession() {
>>>> - ServletRequest request =
>>>> WebUtils.getRequiredServletRequest();
>>>> - ServletResponse response =
>>> WebUtils.getRequiredServletResponse();
>>>> - return getWebSessionManager().getSession(request,
>>>> response);
>>>> + ServletRequest request = WebUtils.getServletRequest();
>>>> + ServletResponse response = WebUtils.getServletResponse();
>>>> + if ( request == null || response == null ) {
>>>> + //no current web request - probably a remote method
>>> invocation that didn't come in via a servlet request:
>>>> + return null;
>>>> + } else {
>>>> + return getWebSessionManager().getSession(request,
>>>> response);
>>>> + }
>>>> }
>>>>
>>>> @Override
>>>> @@ -110,7 +115,10 @@
>>>>
>>>> InetAddress inet = inetAddress;
>>>> if (inet == null) {
>>>> - inet =
>>> WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
>>>> + ServletRequest request = WebUtils.getServletRequest();
>>>> + if ( request != null ) {
>>>> + inet = WebUtils.getInetAddress(request);
>>>> + }
>>>> }
>>>>
>>>> return super.createSubject(pc, session, authc, inet);
>>>>
>>>> Modified:
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>> URL:
>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>>> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>>> WebUtils.java
>>> (original)
>>>> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>>> WebUtils.java Tue
>>> Feb 17 15:24:02 2009
>>>> @@ -305,6 +305,29 @@
>>>> }
>>>>
>>>> /**
>>>> + * Returns the current thread-bound {@code ServletRequest}
>>>> or {@code
>>> null} if there is not one bound.
>>>> + * <p/>
>>>> + * It is the case in certain enterprise environments where a
>>> web-enabled SecurityManager (and its internal mechanisms)
>>>> + * is the primary SecurityManager but also serves as a
>>>> 'central'
>>> coordinator for security operations in a cluster.
>>>> + * In these environments, it is possible for a web-enabled
>>> SecurityManager to receive remote method invocations that
>>>> + * are not HTTP based.
>>>> + * <p/>
>>>> + * In these environments, we need to acquire a thread-bound
>>> ServletRequest if it exists, but
>>>> + * not throw an exception if one is not found (with the
>>>> assumption
>>> that the incoming call is not a web request but
>>>> + * instead a remote method invocation). This method exists to
>>> support these environments, whereas the
>>>> + * {@link #getRequiredServletRequest()
>>>> getRequiredServletRequest()}
>>> method always assumes a
>>>> + * servlet-only environment.
>>>> + * <p/>
>>>> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It
>>>> exists for
>>> JSecurity implementation requirements only.
>>>> + *
>>>> + * @return the current thread-bound {@code ServletRequest}
>>>> or {@code
>>> null} if there is not one bound.
>>>> + * @since 1.0
>>>> + */
>>>> + public static ServletRequest getServletRequest() {
>>>> + return (ServletRequest)
>>>> ThreadContext.get(SERVLET_REQUEST_KEY);
>>>> + }
>>>> +
>>>> + /**
>>>> * Convenience method that simplifies retrieval of a required
>>> thread-bound ServletRequest. If there is no
>>>> * ServletRequest bound to the thread when this method is
>>>> called, an
>>> <code>IllegalStateException</code> is
>>>> * thrown.
>>>> @@ -368,6 +391,29 @@
>>>> }
>>>>
>>>> /**
>>>> + * Returns the current thread-bound {@code ServletResponse} or
>>> {@code null} if there is not one bound.
>>>> + * <p/>
>>>> + * It is the case in certain enterprise environments where a
>>> web-enabled SecurityManager (and its internal mechanisms)
>>>> + * is the primary SecurityManager but also serves as a
>>>> 'central'
>>> coordinator for security operations in a cluster.
>>>> + * In these environments, it is possible for a web-enabled
>>> SecurityManager to receive remote method invocations that
>>>> + * are not HTTP based.
>>>> + * <p/>
>>>> + * In these environments, we need to acquire a thread-bound
>>> ServletResponse if it exists, but
>>>> + * not throw an exception if one is not found (with the
>>>> assumption
>>> that the incoming call is not a web request but
>>>> + * instead a remote method invocation). This method exists to
>>> support these environments, whereas the
>>>> + * {@link #getRequiredServletResponse()
>>> getRequiredServletResponse()} method always assumes a
>>>> + * servlet-only environment.
>>>> + * <p/>
>>>> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It
>>>> exists for
>>> JSecurity implementation requirements only.
>>>> + *
>>>> + * @return the current thread-bound {@code ServletResponse} or
>>> {@code null} if there is not one bound.
>>>> + * @since 1.0
>>>> + */
>>>> + public static ServletResponse getServletResponse() {
>>>> + return (ServletResponse)
>>> ThreadContext.get(SERVLET_RESPONSE_KEY);
>>>> + }
>>>> +
>>>> + /**
>>>> * Convenience method that simplifies retrieval of a required
>>> thread-bound ServletResponse. If there is no
>>>> * ServletResponse bound to the thread when this method is
>>>> called, an
>>> <code>IllegalStateException</code> is
>>>> * thrown.
>>>>
>>>> Modified:
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>>> JSecurityFilter.java
>>>> URL:
>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>>> ---
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>>> JSecurityFilter.java
>>> (original)
>>>> +++
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>>> JSecurityFilter.java
>>> Tue Feb 17 15:24:02 2009
>>>> @@ -42,21 +42,21 @@
>>>>
>>>> /**
>>>> * Main ServletFilter that configures and enables all JSecurity
>>>> functions
>>> within a web application.
>>>> - *
>>>> + * <p/>
>>>> * The following is a fully commented example that documents how to
>>> configure it:
>>>> - *
>>>> + * <p/>
>>>> * <pre><filter>
>>>> * <filter-name>JSecurityFilter</filter-name>
>>>> *
>>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</
>>> filter-class>
>>>> *
>>> <init-param><param-name>config</param-
>>> name><param-value>
>>>> - *
>>>> + * <p/>
>>>> * #NOTE: This config looks pretty long - but its not - its only
>>>> 5 lines
>>> of actual config.
>>>> * # Everything else is just heavily commented to explain
>>>> things
>>> in-depth. Feel free to delete any
>>>> * # comments that you don't want to read from your own
>>> configuration ;)
>>>> * #
>>>> * # Any commented values below are JSecurity's defaults. If you
>>>> want to
>>> change any values, you only
>>>> * # need to uncomment the lines you want to change.
>>>> - *
>>>> + * <p/>
>>>> * [main]
>>>> * # The 'main' section defines JSecurity-wide configuration.
>>>> * #
>>>> @@ -69,7 +69,7 @@
>>>> * #
>>>> * #securityManager = {@link
>>>> org.jsecurity.web.DefaultWebSecurityManager
>>> org.jsecurity.web.DefaultWebSecurityManager}
>>>> * #securityManager.{@linkorg.jsecurity.web.DefaultWebSecurityManager
>>>> #setSessionMode(String)
>>> sessionMode} = http
>>>> - *
>>>> + * <p/>
>>>> * [filters]
>>>> * # This section defines the 'pool' of all Filters available to
>>>> the url
>>> path definitions in the [urls] section below.
>>>> * #
>>>> @@ -112,7 +112,7 @@
>>>> * #
>>>> * # Define your own filters here. To properly handle url path
>>>> matching
>>> (see the [urls] section below), your
>>>> * # filter should extend the {@link
>>> org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter}
>>> abstract
>>> class.
>>>> - *
>>>> + * <p/>
>>>> * [urls]
>>>> * # This section defines url path mappings. Each mapping entry
>>>> must be
>>> on a single line and conform to the
>>>> * # following representation:
>>>> @@ -158,14 +158,14 @@
>>>> * # the text between the brackets as two permissions:
>>> 'remote:invoke:lan' and 'wan' instead of the
>>>> * # single desired 'remote:invoke:lan,wan' token. So, you can use
>>> quotes wherever you need to escape internal
>>>> * # commas.)
>>>> - *
>>>> + * <p/>
>>>> * /account/** = <a href="#authcBasic">authcBasic</a>
>>>> * /remoting/** = <a href="#authcBasic">authcBasic</a>, <a
>>> href="#roles">roles</a>[b2bClient], <a
>>> href="#perms">perms</a>[remote:invoke:"lan,wan"]
>>>> - *
>>>> + * <p/>
>>>> * </param-value></init-param>
>>>> * </filter>
>>>> - *
>>>> - *
>>>> + * <p/>
>>>> + * <p/>
>>>> * <filter-mapping>
>>>> * <filter-name>JSecurityFilter</filter-name>
>>>> * <url-pattern>/*</url-pattern>
>>>> @@ -185,7 +185,7 @@
>>>> public static final String CONFIG_INIT_PARAM_NAME = "config";
>>>> public static final String CONFIG_URL_INIT_PARAM_NAME =
>>>> "configUrl";
>>>>
>>>> - private static final Log log =
>>> LogFactory.getLog(JSecurityFilter.class);
>>>> + private static final Log log =
>>> LogFactory.getLog(JSecurityFilter.class);
>>>>
>>>> protected String config;
>>>> protected String configUrl;
>>>> @@ -238,7 +238,7 @@
>>>> if (sm == null) {
>>>> if (log.isInfoEnabled()) {
>>>> log.info("Configuration instance [" + config + "] did
>>> not provide a SecurityManager. No config " +
>>>> - "specified? Defaulting to a " +
>>> DefaultWebSecurityManager.class.getName() + " instance...");
>>>> + "specified? Defaulting to a " +
>>> DefaultWebSecurityManager.class.getName() + " instance...");
>>>> }
>>>> sm = new DefaultWebSecurityManager();
>>>> }
>>>> @@ -255,8 +255,8 @@
>>>> this.configClassName = configCN;
>>>> } else {
>>>> String msg = "configClassName fully qualified class
>>>> name
>>> value [" + configCN + "] is not " +
>>>> - "available in the classpath. Please
>>>> ensure you
>>> have typed it correctly and the " +
>>>> - "corresponding class or jar is in the
>>> classpath.";
>>>> + "available in the classpath. Please ensure
>>>> you have
>>> typed it correctly and the " +
>>>> + "corresponding class or jar is in the
>>>> classpath.";
>>>> throw new ConfigurationException(msg);
>>>> }
>>>> }
>>>> @@ -277,7 +277,7 @@
>>>> protected void applyFilterConfig(WebConfiguration conf) {
>>>> if (log.isDebugEnabled()) {
>>>> String msg = "Attempting to inject the FilterConfig
>>>> (using
>>> 'setFilterConfig' method) into the " +
>>>> - "instantiated WebConfiguration for any wrapped
>>> Filter initialization...";
>>>> + "instantiated WebConfiguration for any wrapped
>>>> Filter
>>> initialization...";
>>>> log.debug(msg);
>>>> }
>>>> try {
>>>> @@ -301,9 +301,9 @@
>>>> PropertyUtils.setProperty(conf, "config",
>>> this.config);
>>>> } else {
>>>> String msg = "The 'config' filter param was
>>> specified, but there is no " +
>>>> - "'setConfig(String)' method on the
>>> Configuration instance [" + conf + "]. If you do " +
>>>> - "not require the 'config' filter
>>>> param,
>>> please comment it out, or if you do need it, " +
>>>> - "please ensure your Configuration
>>>> instance
>>> has a 'setConfig(String)' method to receive it.";
>>>> + "'setConfig(String)' method on the
>>>> Configuration
>>> instance [" + conf + "]. If you do " +
>>>> + "not require the 'config' filter param,
>>>> please
>>> comment it out, or if you do need it, " +
>>>> + "please ensure your Configuration
>>>> instance has a
>>> 'setConfig(String)' method to receive it.";
>>>> throw new ConfigurationException(msg);
>>>> }
>>>> } catch (Exception e) {
>>>> @@ -322,9 +322,9 @@
>>>> PropertyUtils.setProperty(conf, "configUrl",
>>> this.configUrl);
>>>> } else {
>>>> String msg = "The 'configUrl' filter param was
>>> specified, but there is no " +
>>>> - "'setConfigUrl(String)' method on the
>>> Configuration instance [" + conf + "]. If you do " +
>>>> - "not require the 'configUrl' filter
>>>> param,
>>> please comment it out, or if you do need it, " +
>>>> - "please ensure your Configuration
>>>> instance
>>> has a 'setConfigUrl(String)' method to receive it.";
>>>> + "'setConfigUrl(String)' method on the
>>> Configuration instance [" + conf + "]. If you do " +
>>>> + "not require the 'configUrl' filter param,
>>> please comment it out, or if you do need it, " +
>>>> + "please ensure your Configuration
>>>> instance has a
>>> 'setConfigUrl(String)' method to receive it.";
>>>> throw new ConfigurationException(msg);
>>>> }
>>>> } catch (Exception e) {
>>>> @@ -347,26 +347,69 @@
>>>> return WebUtils.getInetAddress(request);
>>>> }
>>>>
>>>> - protected void doFilterInternal(ServletRequest servletRequest,
>>> ServletResponse servletResponse,
>>>> - FilterChain origChain) throws
>>> ServletException, IOException {
>>>> + /**
>>>> + * Wraps the original HttpServletRequest in a {@link
>>> JSecurityHttpServletRequest}
>>>> + * @since 1.0
>>>> + */
>>>> + protected ServletRequest
>>>> wrapServletRequest(HttpServletRequest orig)
>>> {
>>>> + return new JSecurityHttpServletRequest(orig,
>>> getServletContext(), isHttpSessions());
>>>> + }
>>>>
>>>> - HttpServletRequest request = (HttpServletRequest)
>>> servletRequest;
>>>> - HttpServletResponse response = (HttpServletResponse)
>>> servletResponse;
>>>> + /** @since 1.0 */
>>>> + protected ServletRequest prepareServletRequest(ServletRequest
>>> request, ServletResponse response,
>>>> + FilterChain
>>>> chain) {
>>>> + ServletRequest toUse = request;
>>>> + if (request instanceof HttpServletRequest) {
>>>> + HttpServletRequest http = (HttpServletRequest)
>>>> request;
>>>> + toUse = wrapServletRequest(http);
>>>> + }
>>>> + return toUse;
>>>> + }
>>>>
>>>> - ThreadContext.bind(getInetAddress(request));
>>>> + /** @since 1.0 */
>>>> + protected ServletResponse
>>>> wrapServletResponse(HttpServletResponse
>>> orig, JSecurityHttpServletRequest request) {
>>>> + return new JSecurityHttpServletResponse(orig,
>>> getServletContext(), request);
>>>> + }
>>>>
>>>> - boolean httpSessions = isHttpSessions();
>>>> - request = new JSecurityHttpServletRequest(request,
>>> getServletContext(), httpSessions);
>>>> - if (!httpSessions) {
>>>> + /** @since 1.0 */
>>>> + protected ServletResponse
>>>> prepareServletResponse(ServletRequest
>>> request, ServletResponse response,
>>>> + FilterChain
>>>> chain)
>>> {
>>>> + ServletResponse toUse = response;
>>>> + if (isHttpSessions() && (request instanceof
>>> JSecurityHttpServletRequest) &&
>>>> + (response instanceof HttpServletResponse)) {
>>>> //the JSecurityHttpServletResponse exists to support URL
>>> rewriting for session ids. This is only needed if
>>>> //using JSecurity sessions (i.e. not simple HttpSession
>>>> based
>>> sessions):
>>>> - response = new JSecurityHttpServletResponse(response,
>>> getServletContext(), (JSecurityHttpServletRequest) request);
>>>> + toUse = wrapServletResponse((HttpServletResponse)
>>>> response,
>>> (JSecurityHttpServletRequest) request);
>>>> }
>>>> + return toUse;
>>>> + }
>>>>
>>>> + /** @since 1.0 */
>>>> + protected void bind(ServletRequest request, ServletResponse
>>> response) {
>>>> + WebUtils.bindInetAddressToThread(request);
>>>> WebUtils.bind(request);
>>>> WebUtils.bind(response);
>>>> ThreadContext.bind(getSecurityManager());
>>>> ThreadContext.bind(getSecurityManager().getSubject());
>>>> + }
>>>> +
>>>> + /** @since 1.0 */
>>>> + protected void unbind(ServletRequest request, ServletResponse
>>> response) {
>>>> + //arguments ignored, just clear the thread:
>>>> + ThreadContext.unbindSubject();
>>>> + ThreadContext.unbindSecurityManager();
>>>> + WebUtils.unbindServletResponse();
>>>> + WebUtils.unbindServletRequest();
>>>> + ThreadContext.unbindInetAddress();
>>>> + }
>>>> +
>>>> + protected void doFilterInternal(ServletRequest servletRequest,
>>> ServletResponse servletResponse,
>>>> + FilterChain origChain) throws
>>> ServletException, IOException {
>>>> +
>>>> + ServletRequest request =
>>>> prepareServletRequest(servletRequest,
>>> servletResponse, origChain);
>>>> + ServletResponse response = prepareServletResponse(request,
>>> servletResponse, origChain);
>>>> +
>>>> + bind(request, response);
>>>>
>>>> FilterChain chain = getConfiguration().getChain(request,
>>> response, origChain);
>>>> if (chain == null) {
>>>> @@ -383,11 +426,7 @@
>>>> try {
>>>> chain.doFilter(request, response);
>>>> } finally {
>>>> - ThreadContext.unbindSubject();
>>>> - ThreadContext.unbindSecurityManager();
>>>> - WebUtils.unbindServletResponse();
>>>> - WebUtils.unbindServletRequest();
>>>> - ThreadContext.unbindInetAddress();
>>>> + unbind(request, response);
>>>> }
>>>> }
>>>>
>>>>
>>>> Modified:
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>>> DefaultWebSessionManager.java
>>>> URL:
>>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
>>>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>>> ---
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>>> DefaultWebSessionManager.java
>>> (original)
>>>> +++
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>>> DefaultWebSessionManager.java
>>> Tue Feb 17 15:24:02 2009
>>>> @@ -229,7 +229,8 @@
>>>> return sessionId;
>>>> }
>>>>
>>>> - public Session retrieveSession(Serializable sessionId) throws
>>> InvalidSessionException, AuthorizationException {
>>>> + @Override
>>>> + protected Session retrieveSession(Serializable sessionId)
>>>> throws
>>> InvalidSessionException, AuthorizationException {
>>>> if (sessionId != null) {
>>>> return super.retrieveSession(sessionId);
>>>> } else {
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Cordialement,
>>> Emmanuel Lécharny
>>> www.iktek.com
>>>
>
Re: svn commit: r745117 - in /incubator/jsecurity/trunk: ./ samples/quickstart/ samples/standalone/ web/src/org/jsecurity/web/ web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Posted by "Alan D. Cabrera" <li...@toolazydogs.com>.
Easy enough to fix:
mvn idea:idea
:D
Regards,
Alan
On Feb 17, 2009, at 7:43 AM, Les Hazlewood wrote:
> This was a result of me hosing something with my own installation
> that I
> didn't understand. The easiest thing to do was to remove and
> replace once I
> got it up and running - I didn't want to waste time investigating
> how I
> broke it. This is the first time I've seen this issue in 4 years,
> and odds
> are very high it is because of user error :)
>
> On Tue, Feb 17, 2009 at 10:29 AM, Emmanuel Lecharny <elecharny@apache.org
> >wrote:
>
>> I don't get it ...
>>
>> Either the project files are a (temporarily) hassle, and then you
>> just
>> need to remove them completely, and you don't have to inject them
>> back
>> (remind me a previous convo ;), or you keep them in svn, add some
>> svn:ignore flags locally and remove them from your disk, and when
>> they
>> are fixed, you remove the svn:ignore property. That should do the
>> trick, IMO?
>>
>> On Tue, Feb 17, 2009 at 4:24 PM, <lh...@apache.org> wrote:
>>> Author: lhazlewood
>>> Date: Tue Feb 17 15:24:02 2009
>>> New Revision: 745117
>>>
>>> URL: http://svn.apache.org/viewvc?rev=745117&view=rev
>>> Log:
>>> removing project files for now (seeing errors in my IDE) - will re-
>>> add
>> them after cleanup. Also added some utility methods to reduce method
>> complexity
>>>
>>> Removed:
>>> incubator/jsecurity/trunk/jsecurity.iml
>>> incubator/jsecurity/trunk/jsecurity.ipr
>>> incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
>>> incubator/jsecurity/trunk/samples/standalone/standalone.iml
>>> Modified:
>>>
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> DefaultWebSecurityManager.java
>>>
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> WebSubjectFactory.java
>>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>>
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>> JSecurityFilter.java
>>>
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>> DefaultWebSessionManager.java
>>>
>>> Modified:
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> DefaultWebSecurityManager.java
>>> URL:
>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
>>>
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>>> ---
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> DefaultWebSecurityManager.java
>> (original)
>>> +++
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> DefaultWebSecurityManager.java
>> Tue Feb 17 15:24:02 2009
>>> @@ -75,7 +75,7 @@
>>> this();
>>> setRealms(realms);
>>> }
>>> -
>>> +
>>> /**
>>> * Sets the path used to store the remember me cookie. This
>> determines which paths
>>> * are able to view the remember me cookie.
>>> @@ -149,7 +149,6 @@
>>> LifecycleUtils.destroy(getSessionManager());
>>> WebSessionManager sessionManager =
>> createSessionManager(mode);
>>> setSessionManager(sessionManager);
>>> - setSubjectFactory(new WebSubjectFactory(this,
>> sessionManager));
>>> }
>>> }
>>>
>>>
>>> Modified:
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> WebSubjectFactory.java
>>> URL:
>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
>>>
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>>> ---
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> WebSubjectFactory.java
>> (original)
>>> +++
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>> WebSubjectFactory.java
>> Tue Feb 17 15:24:02 2009
>>> @@ -85,9 +85,14 @@
>>> }
>>>
>>> protected Session getWebSession() {
>>> - ServletRequest request =
>>> WebUtils.getRequiredServletRequest();
>>> - ServletResponse response =
>> WebUtils.getRequiredServletResponse();
>>> - return getWebSessionManager().getSession(request,
>>> response);
>>> + ServletRequest request = WebUtils.getServletRequest();
>>> + ServletResponse response = WebUtils.getServletResponse();
>>> + if ( request == null || response == null ) {
>>> + //no current web request - probably a remote method
>> invocation that didn't come in via a servlet request:
>>> + return null;
>>> + } else {
>>> + return getWebSessionManager().getSession(request,
>>> response);
>>> + }
>>> }
>>>
>>> @Override
>>> @@ -110,7 +115,10 @@
>>>
>>> InetAddress inet = inetAddress;
>>> if (inet == null) {
>>> - inet =
>> WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
>>> + ServletRequest request = WebUtils.getServletRequest();
>>> + if ( request != null ) {
>>> + inet = WebUtils.getInetAddress(request);
>>> + }
>>> }
>>>
>>> return super.createSubject(pc, session, authc, inet);
>>>
>>> Modified:
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
>>> URL:
>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
>>>
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>>> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> WebUtils.java
>> (original)
>>> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/
>>> WebUtils.java Tue
>> Feb 17 15:24:02 2009
>>> @@ -305,6 +305,29 @@
>>> }
>>>
>>> /**
>>> + * Returns the current thread-bound {@code ServletRequest} or
>>> {@code
>> null} if there is not one bound.
>>> + * <p/>
>>> + * It is the case in certain enterprise environments where a
>> web-enabled SecurityManager (and its internal mechanisms)
>>> + * is the primary SecurityManager but also serves as a
>>> 'central'
>> coordinator for security operations in a cluster.
>>> + * In these environments, it is possible for a web-enabled
>> SecurityManager to receive remote method invocations that
>>> + * are not HTTP based.
>>> + * <p/>
>>> + * In these environments, we need to acquire a thread-bound
>> ServletRequest if it exists, but
>>> + * not throw an exception if one is not found (with the
>>> assumption
>> that the incoming call is not a web request but
>>> + * instead a remote method invocation). This method exists to
>> support these environments, whereas the
>>> + * {@link #getRequiredServletRequest()
>>> getRequiredServletRequest()}
>> method always assumes a
>>> + * servlet-only environment.
>>> + * <p/>
>>> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It
>>> exists for
>> JSecurity implementation requirements only.
>>> + *
>>> + * @return the current thread-bound {@code ServletRequest} or
>>> {@code
>> null} if there is not one bound.
>>> + * @since 1.0
>>> + */
>>> + public static ServletRequest getServletRequest() {
>>> + return (ServletRequest)
>>> ThreadContext.get(SERVLET_REQUEST_KEY);
>>> + }
>>> +
>>> + /**
>>> * Convenience method that simplifies retrieval of a required
>> thread-bound ServletRequest. If there is no
>>> * ServletRequest bound to the thread when this method is
>>> called, an
>> <code>IllegalStateException</code> is
>>> * thrown.
>>> @@ -368,6 +391,29 @@
>>> }
>>>
>>> /**
>>> + * Returns the current thread-bound {@code ServletResponse} or
>> {@code null} if there is not one bound.
>>> + * <p/>
>>> + * It is the case in certain enterprise environments where a
>> web-enabled SecurityManager (and its internal mechanisms)
>>> + * is the primary SecurityManager but also serves as a
>>> 'central'
>> coordinator for security operations in a cluster.
>>> + * In these environments, it is possible for a web-enabled
>> SecurityManager to receive remote method invocations that
>>> + * are not HTTP based.
>>> + * <p/>
>>> + * In these environments, we need to acquire a thread-bound
>> ServletResponse if it exists, but
>>> + * not throw an exception if one is not found (with the
>>> assumption
>> that the incoming call is not a web request but
>>> + * instead a remote method invocation). This method exists to
>> support these environments, whereas the
>>> + * {@link #getRequiredServletResponse()
>> getRequiredServletResponse()} method always assumes a
>>> + * servlet-only environment.
>>> + * <p/>
>>> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It
>>> exists for
>> JSecurity implementation requirements only.
>>> + *
>>> + * @return the current thread-bound {@code ServletResponse} or
>> {@code null} if there is not one bound.
>>> + * @since 1.0
>>> + */
>>> + public static ServletResponse getServletResponse() {
>>> + return (ServletResponse)
>> ThreadContext.get(SERVLET_RESPONSE_KEY);
>>> + }
>>> +
>>> + /**
>>> * Convenience method that simplifies retrieval of a required
>> thread-bound ServletResponse. If there is no
>>> * ServletResponse bound to the thread when this method is
>>> called, an
>> <code>IllegalStateException</code> is
>>> * thrown.
>>>
>>> Modified:
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>> JSecurityFilter.java
>>> URL:
>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
>>>
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>>> ---
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>> JSecurityFilter.java
>> (original)
>>> +++
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/
>> JSecurityFilter.java
>> Tue Feb 17 15:24:02 2009
>>> @@ -42,21 +42,21 @@
>>>
>>> /**
>>> * Main ServletFilter that configures and enables all JSecurity
>>> functions
>> within a web application.
>>> - *
>>> + * <p/>
>>> * The following is a fully commented example that documents how to
>> configure it:
>>> - *
>>> + * <p/>
>>> * <pre><filter>
>>> * <filter-name>JSecurityFilter</filter-name>
>>> *
>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</
>> filter-class>
>>> *
>> <init-param><param-name>config</param-
>> name><param-value>
>>> - *
>>> + * <p/>
>>> * #NOTE: This config looks pretty long - but its not - its only 5
>>> lines
>> of actual config.
>>> * # Everything else is just heavily commented to explain
>>> things
>> in-depth. Feel free to delete any
>>> * # comments that you don't want to read from your own
>> configuration ;)
>>> * #
>>> * # Any commented values below are JSecurity's defaults. If you
>>> want to
>> change any values, you only
>>> * # need to uncomment the lines you want to change.
>>> - *
>>> + * <p/>
>>> * [main]
>>> * # The 'main' section defines JSecurity-wide configuration.
>>> * #
>>> @@ -69,7 +69,7 @@
>>> * #
>>> * #securityManager = {@link
>>> org.jsecurity.web.DefaultWebSecurityManager
>> org.jsecurity.web.DefaultWebSecurityManager}
>>> * #securityManager.
>>> {@linkorg
>>> .jsecurity.web.DefaultWebSecurityManager#setSessionMode(String)
>> sessionMode} = http
>>> - *
>>> + * <p/>
>>> * [filters]
>>> * # This section defines the 'pool' of all Filters available to
>>> the url
>> path definitions in the [urls] section below.
>>> * #
>>> @@ -112,7 +112,7 @@
>>> * #
>>> * # Define your own filters here. To properly handle url path
>>> matching
>> (see the [urls] section below), your
>>> * # filter should extend the {@link
>> org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter}
>> abstract
>> class.
>>> - *
>>> + * <p/>
>>> * [urls]
>>> * # This section defines url path mappings. Each mapping entry
>>> must be
>> on a single line and conform to the
>>> * # following representation:
>>> @@ -158,14 +158,14 @@
>>> * # the text between the brackets as two permissions:
>> 'remote:invoke:lan' and 'wan' instead of the
>>> * # single desired 'remote:invoke:lan,wan' token. So, you can use
>> quotes wherever you need to escape internal
>>> * # commas.)
>>> - *
>>> + * <p/>
>>> * /account/** = <a href="#authcBasic">authcBasic</a>
>>> * /remoting/** = <a href="#authcBasic">authcBasic</a>, <a
>> href="#roles">roles</a>[b2bClient], <a
>> href="#perms">perms</a>[remote:invoke:"lan,wan"]
>>> - *
>>> + * <p/>
>>> * </param-value></init-param>
>>> * </filter>
>>> - *
>>> - *
>>> + * <p/>
>>> + * <p/>
>>> * <filter-mapping>
>>> * <filter-name>JSecurityFilter</filter-name>
>>> * <url-pattern>/*</url-pattern>
>>> @@ -185,7 +185,7 @@
>>> public static final String CONFIG_INIT_PARAM_NAME = "config";
>>> public static final String CONFIG_URL_INIT_PARAM_NAME =
>>> "configUrl";
>>>
>>> - private static final Log log =
>> LogFactory.getLog(JSecurityFilter.class);
>>> + private static final Log log =
>> LogFactory.getLog(JSecurityFilter.class);
>>>
>>> protected String config;
>>> protected String configUrl;
>>> @@ -238,7 +238,7 @@
>>> if (sm == null) {
>>> if (log.isInfoEnabled()) {
>>> log.info("Configuration instance [" + config + "] did
>> not provide a SecurityManager. No config " +
>>> - "specified? Defaulting to a " +
>> DefaultWebSecurityManager.class.getName() + " instance...");
>>> + "specified? Defaulting to a " +
>> DefaultWebSecurityManager.class.getName() + " instance...");
>>> }
>>> sm = new DefaultWebSecurityManager();
>>> }
>>> @@ -255,8 +255,8 @@
>>> this.configClassName = configCN;
>>> } else {
>>> String msg = "configClassName fully qualified class
>>> name
>> value [" + configCN + "] is not " +
>>> - "available in the classpath. Please
>>> ensure you
>> have typed it correctly and the " +
>>> - "corresponding class or jar is in the
>> classpath.";
>>> + "available in the classpath. Please ensure
>>> you have
>> typed it correctly and the " +
>>> + "corresponding class or jar is in the
>>> classpath.";
>>> throw new ConfigurationException(msg);
>>> }
>>> }
>>> @@ -277,7 +277,7 @@
>>> protected void applyFilterConfig(WebConfiguration conf) {
>>> if (log.isDebugEnabled()) {
>>> String msg = "Attempting to inject the FilterConfig
>>> (using
>> 'setFilterConfig' method) into the " +
>>> - "instantiated WebConfiguration for any wrapped
>> Filter initialization...";
>>> + "instantiated WebConfiguration for any wrapped
>>> Filter
>> initialization...";
>>> log.debug(msg);
>>> }
>>> try {
>>> @@ -301,9 +301,9 @@
>>> PropertyUtils.setProperty(conf, "config",
>> this.config);
>>> } else {
>>> String msg = "The 'config' filter param was
>> specified, but there is no " +
>>> - "'setConfig(String)' method on the
>> Configuration instance [" + conf + "]. If you do " +
>>> - "not require the 'config' filter param,
>> please comment it out, or if you do need it, " +
>>> - "please ensure your Configuration
>>> instance
>> has a 'setConfig(String)' method to receive it.";
>>> + "'setConfig(String)' method on the
>>> Configuration
>> instance [" + conf + "]. If you do " +
>>> + "not require the 'config' filter param,
>>> please
>> comment it out, or if you do need it, " +
>>> + "please ensure your Configuration
>>> instance has a
>> 'setConfig(String)' method to receive it.";
>>> throw new ConfigurationException(msg);
>>> }
>>> } catch (Exception e) {
>>> @@ -322,9 +322,9 @@
>>> PropertyUtils.setProperty(conf, "configUrl",
>> this.configUrl);
>>> } else {
>>> String msg = "The 'configUrl' filter param was
>> specified, but there is no " +
>>> - "'setConfigUrl(String)' method on the
>> Configuration instance [" + conf + "]. If you do " +
>>> - "not require the 'configUrl' filter
>>> param,
>> please comment it out, or if you do need it, " +
>>> - "please ensure your Configuration
>>> instance
>> has a 'setConfigUrl(String)' method to receive it.";
>>> + "'setConfigUrl(String)' method on the
>> Configuration instance [" + conf + "]. If you do " +
>>> + "not require the 'configUrl' filter param,
>> please comment it out, or if you do need it, " +
>>> + "please ensure your Configuration
>>> instance has a
>> 'setConfigUrl(String)' method to receive it.";
>>> throw new ConfigurationException(msg);
>>> }
>>> } catch (Exception e) {
>>> @@ -347,26 +347,69 @@
>>> return WebUtils.getInetAddress(request);
>>> }
>>>
>>> - protected void doFilterInternal(ServletRequest servletRequest,
>> ServletResponse servletResponse,
>>> - FilterChain origChain) throws
>> ServletException, IOException {
>>> + /**
>>> + * Wraps the original HttpServletRequest in a {@link
>> JSecurityHttpServletRequest}
>>> + * @since 1.0
>>> + */
>>> + protected ServletRequest
>>> wrapServletRequest(HttpServletRequest orig)
>> {
>>> + return new JSecurityHttpServletRequest(orig,
>> getServletContext(), isHttpSessions());
>>> + }
>>>
>>> - HttpServletRequest request = (HttpServletRequest)
>> servletRequest;
>>> - HttpServletResponse response = (HttpServletResponse)
>> servletResponse;
>>> + /** @since 1.0 */
>>> + protected ServletRequest prepareServletRequest(ServletRequest
>> request, ServletResponse response,
>>> + FilterChain
>>> chain) {
>>> + ServletRequest toUse = request;
>>> + if (request instanceof HttpServletRequest) {
>>> + HttpServletRequest http = (HttpServletRequest) request;
>>> + toUse = wrapServletRequest(http);
>>> + }
>>> + return toUse;
>>> + }
>>>
>>> - ThreadContext.bind(getInetAddress(request));
>>> + /** @since 1.0 */
>>> + protected ServletResponse
>>> wrapServletResponse(HttpServletResponse
>> orig, JSecurityHttpServletRequest request) {
>>> + return new JSecurityHttpServletResponse(orig,
>> getServletContext(), request);
>>> + }
>>>
>>> - boolean httpSessions = isHttpSessions();
>>> - request = new JSecurityHttpServletRequest(request,
>> getServletContext(), httpSessions);
>>> - if (!httpSessions) {
>>> + /** @since 1.0 */
>>> + protected ServletResponse prepareServletResponse(ServletRequest
>> request, ServletResponse response,
>>> + FilterChain
>>> chain)
>> {
>>> + ServletResponse toUse = response;
>>> + if (isHttpSessions() && (request instanceof
>> JSecurityHttpServletRequest) &&
>>> + (response instanceof HttpServletResponse)) {
>>> //the JSecurityHttpServletResponse exists to support URL
>> rewriting for session ids. This is only needed if
>>> //using JSecurity sessions (i.e. not simple HttpSession
>>> based
>> sessions):
>>> - response = new JSecurityHttpServletResponse(response,
>> getServletContext(), (JSecurityHttpServletRequest) request);
>>> + toUse = wrapServletResponse((HttpServletResponse)
>>> response,
>> (JSecurityHttpServletRequest) request);
>>> }
>>> + return toUse;
>>> + }
>>>
>>> + /** @since 1.0 */
>>> + protected void bind(ServletRequest request, ServletResponse
>> response) {
>>> + WebUtils.bindInetAddressToThread(request);
>>> WebUtils.bind(request);
>>> WebUtils.bind(response);
>>> ThreadContext.bind(getSecurityManager());
>>> ThreadContext.bind(getSecurityManager().getSubject());
>>> + }
>>> +
>>> + /** @since 1.0 */
>>> + protected void unbind(ServletRequest request, ServletResponse
>> response) {
>>> + //arguments ignored, just clear the thread:
>>> + ThreadContext.unbindSubject();
>>> + ThreadContext.unbindSecurityManager();
>>> + WebUtils.unbindServletResponse();
>>> + WebUtils.unbindServletRequest();
>>> + ThreadContext.unbindInetAddress();
>>> + }
>>> +
>>> + protected void doFilterInternal(ServletRequest servletRequest,
>> ServletResponse servletResponse,
>>> + FilterChain origChain) throws
>> ServletException, IOException {
>>> +
>>> + ServletRequest request =
>>> prepareServletRequest(servletRequest,
>> servletResponse, origChain);
>>> + ServletResponse response = prepareServletResponse(request,
>> servletResponse, origChain);
>>> +
>>> + bind(request, response);
>>>
>>> FilterChain chain = getConfiguration().getChain(request,
>> response, origChain);
>>> if (chain == null) {
>>> @@ -383,11 +426,7 @@
>>> try {
>>> chain.doFilter(request, response);
>>> } finally {
>>> - ThreadContext.unbindSubject();
>>> - ThreadContext.unbindSecurityManager();
>>> - WebUtils.unbindServletResponse();
>>> - WebUtils.unbindServletRequest();
>>> - ThreadContext.unbindInetAddress();
>>> + unbind(request, response);
>>> }
>>> }
>>>
>>>
>>> Modified:
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>> DefaultWebSessionManager.java
>>> URL:
>> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
>>>
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>>> ---
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>> DefaultWebSessionManager.java
>> (original)
>>> +++
>> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/
>> DefaultWebSessionManager.java
>> Tue Feb 17 15:24:02 2009
>>> @@ -229,7 +229,8 @@
>>> return sessionId;
>>> }
>>>
>>> - public Session retrieveSession(Serializable sessionId) throws
>> InvalidSessionException, AuthorizationException {
>>> + @Override
>>> + protected Session retrieveSession(Serializable sessionId)
>>> throws
>> InvalidSessionException, AuthorizationException {
>>> if (sessionId != null) {
>>> return super.retrieveSession(sessionId);
>>> } else {
>>>
>>>
>>>
>>
>>
>>
>> --
>> Regards,
>> Cordialement,
>> Emmanuel Lécharny
>> www.iktek.com
>>
Re: svn commit: r745117 - in /incubator/jsecurity/trunk: ./
samples/quickstart/ samples/standalone/ web/src/org/jsecurity/web/
web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Posted by Les Hazlewood <lh...@apache.org>.
This was a result of me hosing something with my own installation that I
didn't understand. The easiest thing to do was to remove and replace once I
got it up and running - I didn't want to waste time investigating how I
broke it. This is the first time I've seen this issue in 4 years, and odds
are very high it is because of user error :)
On Tue, Feb 17, 2009 at 10:29 AM, Emmanuel Lecharny <el...@apache.org>wrote:
> I don't get it ...
>
> Either the project files are a (temporarily) hassle, and then you just
> need to remove them completely, and you don't have to inject them back
> (remind me a previous convo ;), or you keep them in svn, add some
> svn:ignore flags locally and remove them from your disk, and when they
> are fixed, you remove the svn:ignore property. That should do the
> trick, IMO?
>
> On Tue, Feb 17, 2009 at 4:24 PM, <lh...@apache.org> wrote:
> > Author: lhazlewood
> > Date: Tue Feb 17 15:24:02 2009
> > New Revision: 745117
> >
> > URL: http://svn.apache.org/viewvc?rev=745117&view=rev
> > Log:
> > removing project files for now (seeing errors in my IDE) - will re-add
> them after cleanup. Also added some utility methods to reduce method
> complexity
> >
> > Removed:
> > incubator/jsecurity/trunk/jsecurity.iml
> > incubator/jsecurity/trunk/jsecurity.ipr
> > incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
> > incubator/jsecurity/trunk/samples/standalone/standalone.iml
> > Modified:
> >
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
> >
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
> > incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
> >
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
> >
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
> >
> > Modified:
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
> > URL:
> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
> >
> ==============================================================================
> > ---
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
> (original)
> > +++
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
> Tue Feb 17 15:24:02 2009
> > @@ -75,7 +75,7 @@
> > this();
> > setRealms(realms);
> > }
> > -
> > +
> > /**
> > * Sets the path used to store the remember me cookie. This
> determines which paths
> > * are able to view the remember me cookie.
> > @@ -149,7 +149,6 @@
> > LifecycleUtils.destroy(getSessionManager());
> > WebSessionManager sessionManager =
> createSessionManager(mode);
> > setSessionManager(sessionManager);
> > - setSubjectFactory(new WebSubjectFactory(this,
> sessionManager));
> > }
> > }
> >
> >
> > Modified:
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
> > URL:
> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
> >
> ==============================================================================
> > ---
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
> (original)
> > +++
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
> Tue Feb 17 15:24:02 2009
> > @@ -85,9 +85,14 @@
> > }
> >
> > protected Session getWebSession() {
> > - ServletRequest request = WebUtils.getRequiredServletRequest();
> > - ServletResponse response =
> WebUtils.getRequiredServletResponse();
> > - return getWebSessionManager().getSession(request, response);
> > + ServletRequest request = WebUtils.getServletRequest();
> > + ServletResponse response = WebUtils.getServletResponse();
> > + if ( request == null || response == null ) {
> > + //no current web request - probably a remote method
> invocation that didn't come in via a servlet request:
> > + return null;
> > + } else {
> > + return getWebSessionManager().getSession(request, response);
> > + }
> > }
> >
> > @Override
> > @@ -110,7 +115,10 @@
> >
> > InetAddress inet = inetAddress;
> > if (inet == null) {
> > - inet =
> WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
> > + ServletRequest request = WebUtils.getServletRequest();
> > + if ( request != null ) {
> > + inet = WebUtils.getInetAddress(request);
> > + }
> > }
> >
> > return super.createSubject(pc, session, authc, inet);
> >
> > Modified:
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
> > URL:
> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
> >
> ==============================================================================
> > --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
> (original)
> > +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java Tue
> Feb 17 15:24:02 2009
> > @@ -305,6 +305,29 @@
> > }
> >
> > /**
> > + * Returns the current thread-bound {@code ServletRequest} or {@code
> null} if there is not one bound.
> > + * <p/>
> > + * It is the case in certain enterprise environments where a
> web-enabled SecurityManager (and its internal mechanisms)
> > + * is the primary SecurityManager but also serves as a 'central'
> coordinator for security operations in a cluster.
> > + * In these environments, it is possible for a web-enabled
> SecurityManager to receive remote method invocations that
> > + * are not HTTP based.
> > + * <p/>
> > + * In these environments, we need to acquire a thread-bound
> ServletRequest if it exists, but
> > + * not throw an exception if one is not found (with the assumption
> that the incoming call is not a web request but
> > + * instead a remote method invocation). This method exists to
> support these environments, whereas the
> > + * {@link #getRequiredServletRequest() getRequiredServletRequest()}
> method always assumes a
> > + * servlet-only environment.
> > + * <p/>
> > + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists for
> JSecurity implementation requirements only.
> > + *
> > + * @return the current thread-bound {@code ServletRequest} or {@code
> null} if there is not one bound.
> > + * @since 1.0
> > + */
> > + public static ServletRequest getServletRequest() {
> > + return (ServletRequest) ThreadContext.get(SERVLET_REQUEST_KEY);
> > + }
> > +
> > + /**
> > * Convenience method that simplifies retrieval of a required
> thread-bound ServletRequest. If there is no
> > * ServletRequest bound to the thread when this method is called, an
> <code>IllegalStateException</code> is
> > * thrown.
> > @@ -368,6 +391,29 @@
> > }
> >
> > /**
> > + * Returns the current thread-bound {@code ServletResponse} or
> {@code null} if there is not one bound.
> > + * <p/>
> > + * It is the case in certain enterprise environments where a
> web-enabled SecurityManager (and its internal mechanisms)
> > + * is the primary SecurityManager but also serves as a 'central'
> coordinator for security operations in a cluster.
> > + * In these environments, it is possible for a web-enabled
> SecurityManager to receive remote method invocations that
> > + * are not HTTP based.
> > + * <p/>
> > + * In these environments, we need to acquire a thread-bound
> ServletResponse if it exists, but
> > + * not throw an exception if one is not found (with the assumption
> that the incoming call is not a web request but
> > + * instead a remote method invocation). This method exists to
> support these environments, whereas the
> > + * {@link #getRequiredServletResponse()
> getRequiredServletResponse()} method always assumes a
> > + * servlet-only environment.
> > + * <p/>
> > + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists for
> JSecurity implementation requirements only.
> > + *
> > + * @return the current thread-bound {@code ServletResponse} or
> {@code null} if there is not one bound.
> > + * @since 1.0
> > + */
> > + public static ServletResponse getServletResponse() {
> > + return (ServletResponse)
> ThreadContext.get(SERVLET_RESPONSE_KEY);
> > + }
> > +
> > + /**
> > * Convenience method that simplifies retrieval of a required
> thread-bound ServletResponse. If there is no
> > * ServletResponse bound to the thread when this method is called, an
> <code>IllegalStateException</code> is
> > * thrown.
> >
> > Modified:
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
> > URL:
> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
> >
> ==============================================================================
> > ---
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
> (original)
> > +++
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
> Tue Feb 17 15:24:02 2009
> > @@ -42,21 +42,21 @@
> >
> > /**
> > * Main ServletFilter that configures and enables all JSecurity functions
> within a web application.
> > - *
> > + * <p/>
> > * The following is a fully commented example that documents how to
> configure it:
> > - *
> > + * <p/>
> > * <pre><filter>
> > * <filter-name>JSecurityFilter</filter-name>
> > *
> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
> > *
> <init-param><param-name>config</param-name><param-value>
> > - *
> > + * <p/>
> > * #NOTE: This config looks pretty long - but its not - its only 5 lines
> of actual config.
> > * # Everything else is just heavily commented to explain things
> in-depth. Feel free to delete any
> > * # comments that you don't want to read from your own
> configuration ;)
> > * #
> > * # Any commented values below are JSecurity's defaults. If you want to
> change any values, you only
> > * # need to uncomment the lines you want to change.
> > - *
> > + * <p/>
> > * [main]
> > * # The 'main' section defines JSecurity-wide configuration.
> > * #
> > @@ -69,7 +69,7 @@
> > * #
> > * #securityManager = {@link org.jsecurity.web.DefaultWebSecurityManager
> org.jsecurity.web.DefaultWebSecurityManager}
> > * #securityManager.{@linkorg.jsecurity.web.DefaultWebSecurityManager#setSessionMode(String)
> sessionMode} = http
> > - *
> > + * <p/>
> > * [filters]
> > * # This section defines the 'pool' of all Filters available to the url
> path definitions in the [urls] section below.
> > * #
> > @@ -112,7 +112,7 @@
> > * #
> > * # Define your own filters here. To properly handle url path matching
> (see the [urls] section below), your
> > * # filter should extend the {@link
> org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter} abstract
> class.
> > - *
> > + * <p/>
> > * [urls]
> > * # This section defines url path mappings. Each mapping entry must be
> on a single line and conform to the
> > * # following representation:
> > @@ -158,14 +158,14 @@
> > * # the text between the brackets as two permissions:
> 'remote:invoke:lan' and 'wan' instead of the
> > * # single desired 'remote:invoke:lan,wan' token. So, you can use
> quotes wherever you need to escape internal
> > * # commas.)
> > - *
> > + * <p/>
> > * /account/** = <a href="#authcBasic">authcBasic</a>
> > * /remoting/** = <a href="#authcBasic">authcBasic</a>, <a
> href="#roles">roles</a>[b2bClient], <a
> href="#perms">perms</a>[remote:invoke:"lan,wan"]
> > - *
> > + * <p/>
> > * </param-value></init-param>
> > * </filter>
> > - *
> > - *
> > + * <p/>
> > + * <p/>
> > * <filter-mapping>
> > * <filter-name>JSecurityFilter</filter-name>
> > * <url-pattern>/*</url-pattern>
> > @@ -185,7 +185,7 @@
> > public static final String CONFIG_INIT_PARAM_NAME = "config";
> > public static final String CONFIG_URL_INIT_PARAM_NAME = "configUrl";
> >
> > - private static final Log log =
> LogFactory.getLog(JSecurityFilter.class);
> > + private static final Log log =
> LogFactory.getLog(JSecurityFilter.class);
> >
> > protected String config;
> > protected String configUrl;
> > @@ -238,7 +238,7 @@
> > if (sm == null) {
> > if (log.isInfoEnabled()) {
> > log.info("Configuration instance [" + config + "] did
> not provide a SecurityManager. No config " +
> > - "specified? Defaulting to a " +
> DefaultWebSecurityManager.class.getName() + " instance...");
> > + "specified? Defaulting to a " +
> DefaultWebSecurityManager.class.getName() + " instance...");
> > }
> > sm = new DefaultWebSecurityManager();
> > }
> > @@ -255,8 +255,8 @@
> > this.configClassName = configCN;
> > } else {
> > String msg = "configClassName fully qualified class name
> value [" + configCN + "] is not " +
> > - "available in the classpath. Please ensure you
> have typed it correctly and the " +
> > - "corresponding class or jar is in the
> classpath.";
> > + "available in the classpath. Please ensure you have
> typed it correctly and the " +
> > + "corresponding class or jar is in the classpath.";
> > throw new ConfigurationException(msg);
> > }
> > }
> > @@ -277,7 +277,7 @@
> > protected void applyFilterConfig(WebConfiguration conf) {
> > if (log.isDebugEnabled()) {
> > String msg = "Attempting to inject the FilterConfig (using
> 'setFilterConfig' method) into the " +
> > - "instantiated WebConfiguration for any wrapped
> Filter initialization...";
> > + "instantiated WebConfiguration for any wrapped Filter
> initialization...";
> > log.debug(msg);
> > }
> > try {
> > @@ -301,9 +301,9 @@
> > PropertyUtils.setProperty(conf, "config",
> this.config);
> > } else {
> > String msg = "The 'config' filter param was
> specified, but there is no " +
> > - "'setConfig(String)' method on the
> Configuration instance [" + conf + "]. If you do " +
> > - "not require the 'config' filter param,
> please comment it out, or if you do need it, " +
> > - "please ensure your Configuration instance
> has a 'setConfig(String)' method to receive it.";
> > + "'setConfig(String)' method on the Configuration
> instance [" + conf + "]. If you do " +
> > + "not require the 'config' filter param, please
> comment it out, or if you do need it, " +
> > + "please ensure your Configuration instance has a
> 'setConfig(String)' method to receive it.";
> > throw new ConfigurationException(msg);
> > }
> > } catch (Exception e) {
> > @@ -322,9 +322,9 @@
> > PropertyUtils.setProperty(conf, "configUrl",
> this.configUrl);
> > } else {
> > String msg = "The 'configUrl' filter param was
> specified, but there is no " +
> > - "'setConfigUrl(String)' method on the
> Configuration instance [" + conf + "]. If you do " +
> > - "not require the 'configUrl' filter param,
> please comment it out, or if you do need it, " +
> > - "please ensure your Configuration instance
> has a 'setConfigUrl(String)' method to receive it.";
> > + "'setConfigUrl(String)' method on the
> Configuration instance [" + conf + "]. If you do " +
> > + "not require the 'configUrl' filter param,
> please comment it out, or if you do need it, " +
> > + "please ensure your Configuration instance has a
> 'setConfigUrl(String)' method to receive it.";
> > throw new ConfigurationException(msg);
> > }
> > } catch (Exception e) {
> > @@ -347,26 +347,69 @@
> > return WebUtils.getInetAddress(request);
> > }
> >
> > - protected void doFilterInternal(ServletRequest servletRequest,
> ServletResponse servletResponse,
> > - FilterChain origChain) throws
> ServletException, IOException {
> > + /**
> > + * Wraps the original HttpServletRequest in a {@link
> JSecurityHttpServletRequest}
> > + * @since 1.0
> > + */
> > + protected ServletRequest wrapServletRequest(HttpServletRequest orig)
> {
> > + return new JSecurityHttpServletRequest(orig,
> getServletContext(), isHttpSessions());
> > + }
> >
> > - HttpServletRequest request = (HttpServletRequest)
> servletRequest;
> > - HttpServletResponse response = (HttpServletResponse)
> servletResponse;
> > + /** @since 1.0 */
> > + protected ServletRequest prepareServletRequest(ServletRequest
> request, ServletResponse response,
> > + FilterChain chain) {
> > + ServletRequest toUse = request;
> > + if (request instanceof HttpServletRequest) {
> > + HttpServletRequest http = (HttpServletRequest) request;
> > + toUse = wrapServletRequest(http);
> > + }
> > + return toUse;
> > + }
> >
> > - ThreadContext.bind(getInetAddress(request));
> > + /** @since 1.0 */
> > + protected ServletResponse wrapServletResponse(HttpServletResponse
> orig, JSecurityHttpServletRequest request) {
> > + return new JSecurityHttpServletResponse(orig,
> getServletContext(), request);
> > + }
> >
> > - boolean httpSessions = isHttpSessions();
> > - request = new JSecurityHttpServletRequest(request,
> getServletContext(), httpSessions);
> > - if (!httpSessions) {
> > + /** @since 1.0 */
> > + protected ServletResponse prepareServletResponse(ServletRequest
> request, ServletResponse response,
> > + FilterChain chain)
> {
> > + ServletResponse toUse = response;
> > + if (isHttpSessions() && (request instanceof
> JSecurityHttpServletRequest) &&
> > + (response instanceof HttpServletResponse)) {
> > //the JSecurityHttpServletResponse exists to support URL
> rewriting for session ids. This is only needed if
> > //using JSecurity sessions (i.e. not simple HttpSession based
> sessions):
> > - response = new JSecurityHttpServletResponse(response,
> getServletContext(), (JSecurityHttpServletRequest) request);
> > + toUse = wrapServletResponse((HttpServletResponse) response,
> (JSecurityHttpServletRequest) request);
> > }
> > + return toUse;
> > + }
> >
> > + /** @since 1.0 */
> > + protected void bind(ServletRequest request, ServletResponse
> response) {
> > + WebUtils.bindInetAddressToThread(request);
> > WebUtils.bind(request);
> > WebUtils.bind(response);
> > ThreadContext.bind(getSecurityManager());
> > ThreadContext.bind(getSecurityManager().getSubject());
> > + }
> > +
> > + /** @since 1.0 */
> > + protected void unbind(ServletRequest request, ServletResponse
> response) {
> > + //arguments ignored, just clear the thread:
> > + ThreadContext.unbindSubject();
> > + ThreadContext.unbindSecurityManager();
> > + WebUtils.unbindServletResponse();
> > + WebUtils.unbindServletRequest();
> > + ThreadContext.unbindInetAddress();
> > + }
> > +
> > + protected void doFilterInternal(ServletRequest servletRequest,
> ServletResponse servletResponse,
> > + FilterChain origChain) throws
> ServletException, IOException {
> > +
> > + ServletRequest request = prepareServletRequest(servletRequest,
> servletResponse, origChain);
> > + ServletResponse response = prepareServletResponse(request,
> servletResponse, origChain);
> > +
> > + bind(request, response);
> >
> > FilterChain chain = getConfiguration().getChain(request,
> response, origChain);
> > if (chain == null) {
> > @@ -383,11 +426,7 @@
> > try {
> > chain.doFilter(request, response);
> > } finally {
> > - ThreadContext.unbindSubject();
> > - ThreadContext.unbindSecurityManager();
> > - WebUtils.unbindServletResponse();
> > - WebUtils.unbindServletRequest();
> > - ThreadContext.unbindInetAddress();
> > + unbind(request, response);
> > }
> > }
> >
> >
> > Modified:
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
> > URL:
> http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
> >
> ==============================================================================
> > ---
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
> (original)
> > +++
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
> Tue Feb 17 15:24:02 2009
> > @@ -229,7 +229,8 @@
> > return sessionId;
> > }
> >
> > - public Session retrieveSession(Serializable sessionId) throws
> InvalidSessionException, AuthorizationException {
> > + @Override
> > + protected Session retrieveSession(Serializable sessionId) throws
> InvalidSessionException, AuthorizationException {
> > if (sessionId != null) {
> > return super.retrieveSession(sessionId);
> > } else {
> >
> >
> >
>
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
Re: svn commit: r745117 - in /incubator/jsecurity/trunk: ./
samples/quickstart/ samples/standalone/ web/src/org/jsecurity/web/
web/src/org/jsecurity/web/servlet/ web/src/org/jsecurity/web/session/
Posted by Emmanuel Lecharny <el...@apache.org>.
I don't get it ...
Either the project files are a (temporarily) hassle, and then you just
need to remove them completely, and you don't have to inject them back
(remind me a previous convo ;), or you keep them in svn, add some
svn:ignore flags locally and remove them from your disk, and when they
are fixed, you remove the svn:ignore property. That should do the
trick, IMO?
On Tue, Feb 17, 2009 at 4:24 PM, <lh...@apache.org> wrote:
> Author: lhazlewood
> Date: Tue Feb 17 15:24:02 2009
> New Revision: 745117
>
> URL: http://svn.apache.org/viewvc?rev=745117&view=rev
> Log:
> removing project files for now (seeing errors in my IDE) - will re-add them after cleanup. Also added some utility methods to reduce method complexity
>
> Removed:
> incubator/jsecurity/trunk/jsecurity.iml
> incubator/jsecurity/trunk/jsecurity.ipr
> incubator/jsecurity/trunk/samples/quickstart/quickstart.iml
> incubator/jsecurity/trunk/samples/standalone/standalone.iml
> Modified:
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
> incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
>
> Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java
> URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java?rev=745117&r1=745116&r2=745117&view=diff
> ==============================================================================
> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java (original)
> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/DefaultWebSecurityManager.java Tue Feb 17 15:24:02 2009
> @@ -75,7 +75,7 @@
> this();
> setRealms(realms);
> }
> -
> +
> /**
> * Sets the path used to store the remember me cookie. This determines which paths
> * are able to view the remember me cookie.
> @@ -149,7 +149,6 @@
> LifecycleUtils.destroy(getSessionManager());
> WebSessionManager sessionManager = createSessionManager(mode);
> setSessionManager(sessionManager);
> - setSubjectFactory(new WebSubjectFactory(this, sessionManager));
> }
> }
>
>
> Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java
> URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java?rev=745117&r1=745116&r2=745117&view=diff
> ==============================================================================
> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java (original)
> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebSubjectFactory.java Tue Feb 17 15:24:02 2009
> @@ -85,9 +85,14 @@
> }
>
> protected Session getWebSession() {
> - ServletRequest request = WebUtils.getRequiredServletRequest();
> - ServletResponse response = WebUtils.getRequiredServletResponse();
> - return getWebSessionManager().getSession(request, response);
> + ServletRequest request = WebUtils.getServletRequest();
> + ServletResponse response = WebUtils.getServletResponse();
> + if ( request == null || response == null ) {
> + //no current web request - probably a remote method invocation that didn't come in via a servlet request:
> + return null;
> + } else {
> + return getWebSessionManager().getSession(request, response);
> + }
> }
>
> @Override
> @@ -110,7 +115,10 @@
>
> InetAddress inet = inetAddress;
> if (inet == null) {
> - inet = WebUtils.getInetAddress(WebUtils.getRequiredServletRequest());
> + ServletRequest request = WebUtils.getServletRequest();
> + if ( request != null ) {
> + inet = WebUtils.getInetAddress(request);
> + }
> }
>
> return super.createSubject(pc, session, authc, inet);
>
> Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java
> URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java?rev=745117&r1=745116&r2=745117&view=diff
> ==============================================================================
> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java (original)
> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/WebUtils.java Tue Feb 17 15:24:02 2009
> @@ -305,6 +305,29 @@
> }
>
> /**
> + * Returns the current thread-bound {@code ServletRequest} or {@code null} if there is not one bound.
> + * <p/>
> + * It is the case in certain enterprise environments where a web-enabled SecurityManager (and its internal mechanisms)
> + * is the primary SecurityManager but also serves as a 'central' coordinator for security operations in a cluster.
> + * In these environments, it is possible for a web-enabled SecurityManager to receive remote method invocations that
> + * are not HTTP based.
> + * <p/>
> + * In these environments, we need to acquire a thread-bound ServletRequest if it exists, but
> + * not throw an exception if one is not found (with the assumption that the incoming call is not a web request but
> + * instead a remote method invocation). This method exists to support these environments, whereas the
> + * {@link #getRequiredServletRequest() getRequiredServletRequest()} method always assumes a
> + * servlet-only environment.
> + * <p/>
> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists for JSecurity implementation requirements only.
> + *
> + * @return the current thread-bound {@code ServletRequest} or {@code null} if there is not one bound.
> + * @since 1.0
> + */
> + public static ServletRequest getServletRequest() {
> + return (ServletRequest) ThreadContext.get(SERVLET_REQUEST_KEY);
> + }
> +
> + /**
> * Convenience method that simplifies retrieval of a required thread-bound ServletRequest. If there is no
> * ServletRequest bound to the thread when this method is called, an <code>IllegalStateException</code> is
> * thrown.
> @@ -368,6 +391,29 @@
> }
>
> /**
> + * Returns the current thread-bound {@code ServletResponse} or {@code null} if there is not one bound.
> + * <p/>
> + * It is the case in certain enterprise environments where a web-enabled SecurityManager (and its internal mechanisms)
> + * is the primary SecurityManager but also serves as a 'central' coordinator for security operations in a cluster.
> + * In these environments, it is possible for a web-enabled SecurityManager to receive remote method invocations that
> + * are not HTTP based.
> + * <p/>
> + * In these environments, we need to acquire a thread-bound ServletResponse if it exists, but
> + * not throw an exception if one is not found (with the assumption that the incoming call is not a web request but
> + * instead a remote method invocation). This method exists to support these environments, whereas the
> + * {@link #getRequiredServletResponse() getRequiredServletResponse()} method always assumes a
> + * servlet-only environment.
> + * <p/>
> + * <b>THIS IS NOT PART OF JSECURITY'S PUBLIC API.</b> It exists for JSecurity implementation requirements only.
> + *
> + * @return the current thread-bound {@code ServletResponse} or {@code null} if there is not one bound.
> + * @since 1.0
> + */
> + public static ServletResponse getServletResponse() {
> + return (ServletResponse) ThreadContext.get(SERVLET_RESPONSE_KEY);
> + }
> +
> + /**
> * Convenience method that simplifies retrieval of a required thread-bound ServletResponse. If there is no
> * ServletResponse bound to the thread when this method is called, an <code>IllegalStateException</code> is
> * thrown.
>
> Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java
> URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java?rev=745117&r1=745116&r2=745117&view=diff
> ==============================================================================
> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java (original)
> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/servlet/JSecurityFilter.java Tue Feb 17 15:24:02 2009
> @@ -42,21 +42,21 @@
>
> /**
> * Main ServletFilter that configures and enables all JSecurity functions within a web application.
> - *
> + * <p/>
> * The following is a fully commented example that documents how to configure it:
> - *
> + * <p/>
> * <pre><filter>
> * <filter-name>JSecurityFilter</filter-name>
> * <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
> * <init-param><param-name>config</param-name><param-value>
> - *
> + * <p/>
> * #NOTE: This config looks pretty long - but its not - its only 5 lines of actual config.
> * # Everything else is just heavily commented to explain things in-depth. Feel free to delete any
> * # comments that you don't want to read from your own configuration ;)
> * #
> * # Any commented values below are JSecurity's defaults. If you want to change any values, you only
> * # need to uncomment the lines you want to change.
> - *
> + * <p/>
> * [main]
> * # The 'main' section defines JSecurity-wide configuration.
> * #
> @@ -69,7 +69,7 @@
> * #
> * #securityManager = {@link org.jsecurity.web.DefaultWebSecurityManager org.jsecurity.web.DefaultWebSecurityManager}
> * #securityManager.{@link org.jsecurity.web.DefaultWebSecurityManager#setSessionMode(String) sessionMode} = http
> - *
> + * <p/>
> * [filters]
> * # This section defines the 'pool' of all Filters available to the url path definitions in the [urls] section below.
> * #
> @@ -112,7 +112,7 @@
> * #
> * # Define your own filters here. To properly handle url path matching (see the [urls] section below), your
> * # filter should extend the {@link org.jsecurity.web.filter.PathMatchingFilter PathMatchingFilter} abstract class.
> - *
> + * <p/>
> * [urls]
> * # This section defines url path mappings. Each mapping entry must be on a single line and conform to the
> * # following representation:
> @@ -158,14 +158,14 @@
> * # the text between the brackets as two permissions: 'remote:invoke:lan' and 'wan' instead of the
> * # single desired 'remote:invoke:lan,wan' token. So, you can use quotes wherever you need to escape internal
> * # commas.)
> - *
> + * <p/>
> * /account/** = <a href="#authcBasic">authcBasic</a>
> * /remoting/** = <a href="#authcBasic">authcBasic</a>, <a href="#roles">roles</a>[b2bClient], <a href="#perms">perms</a>[remote:invoke:"lan,wan"]
> - *
> + * <p/>
> * </param-value></init-param>
> * </filter>
> - *
> - *
> + * <p/>
> + * <p/>
> * <filter-mapping>
> * <filter-name>JSecurityFilter</filter-name>
> * <url-pattern>/*</url-pattern>
> @@ -185,7 +185,7 @@
> public static final String CONFIG_INIT_PARAM_NAME = "config";
> public static final String CONFIG_URL_INIT_PARAM_NAME = "configUrl";
>
> - private static final Log log = LogFactory.getLog(JSecurityFilter.class);
> + private static final Log log = LogFactory.getLog(JSecurityFilter.class);
>
> protected String config;
> protected String configUrl;
> @@ -238,7 +238,7 @@
> if (sm == null) {
> if (log.isInfoEnabled()) {
> log.info("Configuration instance [" + config + "] did not provide a SecurityManager. No config " +
> - "specified? Defaulting to a " + DefaultWebSecurityManager.class.getName() + " instance...");
> + "specified? Defaulting to a " + DefaultWebSecurityManager.class.getName() + " instance...");
> }
> sm = new DefaultWebSecurityManager();
> }
> @@ -255,8 +255,8 @@
> this.configClassName = configCN;
> } else {
> String msg = "configClassName fully qualified class name value [" + configCN + "] is not " +
> - "available in the classpath. Please ensure you have typed it correctly and the " +
> - "corresponding class or jar is in the classpath.";
> + "available in the classpath. Please ensure you have typed it correctly and the " +
> + "corresponding class or jar is in the classpath.";
> throw new ConfigurationException(msg);
> }
> }
> @@ -277,7 +277,7 @@
> protected void applyFilterConfig(WebConfiguration conf) {
> if (log.isDebugEnabled()) {
> String msg = "Attempting to inject the FilterConfig (using 'setFilterConfig' method) into the " +
> - "instantiated WebConfiguration for any wrapped Filter initialization...";
> + "instantiated WebConfiguration for any wrapped Filter initialization...";
> log.debug(msg);
> }
> try {
> @@ -301,9 +301,9 @@
> PropertyUtils.setProperty(conf, "config", this.config);
> } else {
> String msg = "The 'config' filter param was specified, but there is no " +
> - "'setConfig(String)' method on the Configuration instance [" + conf + "]. If you do " +
> - "not require the 'config' filter param, please comment it out, or if you do need it, " +
> - "please ensure your Configuration instance has a 'setConfig(String)' method to receive it.";
> + "'setConfig(String)' method on the Configuration instance [" + conf + "]. If you do " +
> + "not require the 'config' filter param, please comment it out, or if you do need it, " +
> + "please ensure your Configuration instance has a 'setConfig(String)' method to receive it.";
> throw new ConfigurationException(msg);
> }
> } catch (Exception e) {
> @@ -322,9 +322,9 @@
> PropertyUtils.setProperty(conf, "configUrl", this.configUrl);
> } else {
> String msg = "The 'configUrl' filter param was specified, but there is no " +
> - "'setConfigUrl(String)' method on the Configuration instance [" + conf + "]. If you do " +
> - "not require the 'configUrl' filter param, please comment it out, or if you do need it, " +
> - "please ensure your Configuration instance has a 'setConfigUrl(String)' method to receive it.";
> + "'setConfigUrl(String)' method on the Configuration instance [" + conf + "]. If you do " +
> + "not require the 'configUrl' filter param, please comment it out, or if you do need it, " +
> + "please ensure your Configuration instance has a 'setConfigUrl(String)' method to receive it.";
> throw new ConfigurationException(msg);
> }
> } catch (Exception e) {
> @@ -347,26 +347,69 @@
> return WebUtils.getInetAddress(request);
> }
>
> - protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse,
> - FilterChain origChain) throws ServletException, IOException {
> + /**
> + * Wraps the original HttpServletRequest in a {@link JSecurityHttpServletRequest}
> + * @since 1.0
> + */
> + protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
> + return new JSecurityHttpServletRequest(orig, getServletContext(), isHttpSessions());
> + }
>
> - HttpServletRequest request = (HttpServletRequest) servletRequest;
> - HttpServletResponse response = (HttpServletResponse) servletResponse;
> + /** @since 1.0 */
> + protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response,
> + FilterChain chain) {
> + ServletRequest toUse = request;
> + if (request instanceof HttpServletRequest) {
> + HttpServletRequest http = (HttpServletRequest) request;
> + toUse = wrapServletRequest(http);
> + }
> + return toUse;
> + }
>
> - ThreadContext.bind(getInetAddress(request));
> + /** @since 1.0 */
> + protected ServletResponse wrapServletResponse(HttpServletResponse orig, JSecurityHttpServletRequest request) {
> + return new JSecurityHttpServletResponse(orig, getServletContext(), request);
> + }
>
> - boolean httpSessions = isHttpSessions();
> - request = new JSecurityHttpServletRequest(request, getServletContext(), httpSessions);
> - if (!httpSessions) {
> + /** @since 1.0 */
> + protected ServletResponse prepareServletResponse(ServletRequest request, ServletResponse response,
> + FilterChain chain) {
> + ServletResponse toUse = response;
> + if (isHttpSessions() && (request instanceof JSecurityHttpServletRequest) &&
> + (response instanceof HttpServletResponse)) {
> //the JSecurityHttpServletResponse exists to support URL rewriting for session ids. This is only needed if
> //using JSecurity sessions (i.e. not simple HttpSession based sessions):
> - response = new JSecurityHttpServletResponse(response, getServletContext(), (JSecurityHttpServletRequest) request);
> + toUse = wrapServletResponse((HttpServletResponse) response, (JSecurityHttpServletRequest) request);
> }
> + return toUse;
> + }
>
> + /** @since 1.0 */
> + protected void bind(ServletRequest request, ServletResponse response) {
> + WebUtils.bindInetAddressToThread(request);
> WebUtils.bind(request);
> WebUtils.bind(response);
> ThreadContext.bind(getSecurityManager());
> ThreadContext.bind(getSecurityManager().getSubject());
> + }
> +
> + /** @since 1.0 */
> + protected void unbind(ServletRequest request, ServletResponse response) {
> + //arguments ignored, just clear the thread:
> + ThreadContext.unbindSubject();
> + ThreadContext.unbindSecurityManager();
> + WebUtils.unbindServletResponse();
> + WebUtils.unbindServletRequest();
> + ThreadContext.unbindInetAddress();
> + }
> +
> + protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse,
> + FilterChain origChain) throws ServletException, IOException {
> +
> + ServletRequest request = prepareServletRequest(servletRequest, servletResponse, origChain);
> + ServletResponse response = prepareServletResponse(request, servletResponse, origChain);
> +
> + bind(request, response);
>
> FilterChain chain = getConfiguration().getChain(request, response, origChain);
> if (chain == null) {
> @@ -383,11 +426,7 @@
> try {
> chain.doFilter(request, response);
> } finally {
> - ThreadContext.unbindSubject();
> - ThreadContext.unbindSecurityManager();
> - WebUtils.unbindServletResponse();
> - WebUtils.unbindServletRequest();
> - ThreadContext.unbindInetAddress();
> + unbind(request, response);
> }
> }
>
>
> Modified: incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java
> URL: http://svn.apache.org/viewvc/incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java?rev=745117&r1=745116&r2=745117&view=diff
> ==============================================================================
> --- incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java (original)
> +++ incubator/jsecurity/trunk/web/src/org/jsecurity/web/session/DefaultWebSessionManager.java Tue Feb 17 15:24:02 2009
> @@ -229,7 +229,8 @@
> return sessionId;
> }
>
> - public Session retrieveSession(Serializable sessionId) throws InvalidSessionException, AuthorizationException {
> + @Override
> + protected Session retrieveSession(Serializable sessionId) throws InvalidSessionException, AuthorizationException {
> if (sessionId != null) {
> return super.retrieveSession(sessionId);
> } else {
>
>
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com