You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Francesco Pasqualini <fr...@gmail.com> on 2011/01/02 11:36:29 UTC
shiro + GWT problem
Hi,
I really like shiro API and approach.
I'm trying to use shiro with GWT.
But it seems there is a problem.
Accordinly to GWT "login security faq" I need to avoid to use, in server
side, the session id retrieved from cookie but I must pass it in the payload
of the RPC request.
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
So I implemented my GWT+shiro as follow:
1) when user start login: obtain the new shiro sessionId, pass to the
client, and store in the client to pass back to the server
2) when a logged user do an RPC request : pass the stored sessionId from
client to server in the payload of the RPC request, and server side I access
the session this
way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
But my code does not not work.
When the user logout and login again shiro does not provide a new sessionId,
but keep using the old one that is no more valid (logout), so I have the
following Exception when try to login with shiro (currentUser.login(token)):
"There is no session with id [the old ID]".
Is there a way a way to tell shiro to not use the sesionId passed with
cookies but only the one "programmatically" passed ?
thanks
Re: shiro + GWT problem
Posted by Les Hazlewood <lh...@apache.org>.
Hi Francesco,
The suggested settings work if you're using the IniShiroFilter, which
is generally assumed to exist in any web application. It sounds like
you're not using it - in which case, then yes, you'll need to do
exactly what you've described.
Shiro's Spring support's SecureRemoteInvocationExecutor is another
great example to follow if building your own custom RPC endpoint
mechanism if you're not using the IniShiroFilter:
https://svn.apache.org/repos/asf/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationExecutor.java
The key point is that the ShiroFilter implementations,
SecureRemoteInvocationExecutor and essentially any other RPC/request
interceptor needs to do 4 important things:
1. Acquires the session id (or perhaps other identifying data) from
the RPC/request payload, so can know who is making the request.
2. Builds the Subject based on the payload data, usually using the
Subject.Builder (or WebSubject.Builder).
3. Binds the subject to the thread before continuing.
4. Unbinds the subject from the thread if the request/method/whatever
is invoked or fails.
Steps 3 and 4 are done automatically if using the Subject.execute
method and is generally the preferred approach. See the
SecureRemoteInvocationExecutor source code to see an example.
Cheers,
Les
On Tue, Jan 4, 2011 at 7:02 PM, Francesco Pasqualini <fr...@gmail.com> wrote:
> Hi Les,
> thanks for your reply.
> As you seen in my auto reply I found a working solution.
> Then I tried the settings you suggested and it does'n work.
> It give me the following exception:
> Property 'sessionMode' does not exist for object of type
> org.apache.shiro.mgt.DefaultSecurityManager.
> (with securityManager.sessionMode = native)
> I tried another thing.
> I disabled the cookie in the browser and my solution works perfectly too.
> (without securityManager.sessionMode = native)
> My working solution is:
> Empty shiro.ini except for [user] section
> Login:
> currentUser = new Subject.Builder().buildSubject();
> currentUser.login(token);
> currentUser.getSession(true);
> Retrieve Session by sessionID (logged in user)
> new
> Subject.Builder().sessionId(sessionId).buildSubject().getSession();
> Logout
> currentUser = new
> Subject.Builder().sessionId(sessionID).buildSubject();
> currentUser.logout();
>
> This is working very well, but is it the correct way to achieve what I want
> ?
> thanks
>
>
>
>
> On Tue, Jan 4, 2011 at 9:25 PM, Les Hazlewood <lh...@apache.org> wrote:
>>
>> Hi Francesco,
>>
>> Your logic is exactly correct, with one caveat: passing a session id
>> manually _only_ works when using Shiro's native sessions. There is no
>> way to obtain a session from the ServletContainer based on a session
>> ID. Therefore, you need to ensure that you're using Shiro's native
>> sessions and _not_ the servlet container sessions (which are used by
>> default).
>>
>> In Shiro's INI, you can configure this easily:
>>
>> securityManager.sessionMode = native
>> # you can also disable the session cookie entirely after native
>> sessions are enabled:
>> securityManager.sessionManager.sessionIdCookieEnabled = false
>>
>> That should work. Please let us know how it goes!
>>
>> Cheers,
>>
>> --
>> Les Hazlewood
>> Founder, Katasoft, Inc.
>> Application Security Products & Professional Apache Shiro Support and
>> Training:
>> http://www.katasoft.com
>>
>>
>> On Sun, Jan 2, 2011 at 5:36 AM, Francesco Pasqualini <fr...@gmail.com>
>> wrote:
>> > Hi,
>> > I really like shiro API and approach.
>> > I'm trying to use shiro with GWT.
>> > But it seems there is a problem.
>> > Accordinly to GWT "login security faq" I need to avoid to use, in server
>> > side, the session id retrieved from cookie but I must pass it in the
>> > payload
>> > of the RPC request.
>> >
>> > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
>> > So I implemented my GWT+shiro as follow:
>> > 1) when user start login: obtain the new shiro sessionId, pass to the
>> > client, and store in the client to pass back to the server
>> > 2) when a logged user do an RPC request : pass the stored sessionId from
>> > client to server in the payload of the RPC request, and server side I
>> > access
>> > the session this
>> > way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
>> > But my code does not not work.
>> > When the user logout and login again shiro does not provide a new
>> > sessionId,
>> > but keep using the old one that is no more valid (logout), so I have the
>> > following Exception when try to login with shiro
>> > (currentUser.login(token)):
>> > "There is no session with id [the old ID]".
>> > Is there a way a way to tell shiro to not use the sesionId passed with
>> > cookies but only the one "programmatically" passed ?
>> > thanks
Re: shiro + GWT problem
Posted by Francesco Pasqualini <fr...@gmail.com>.
Hi Les,
thanks for your reply.
As you seen in my auto reply I found a working solution.
Then I tried the settings you suggested and it does'n work.
It give me the following exception:
Property 'sessionMode' does not exist for object of type
org.apache.shiro.mgt.DefaultSecurityManager.
(with securityManager.sessionMode = native)
I tried another thing.
I disabled the cookie in the browser and my solution works perfectly too.
(without securityManager.sessionMode = native)
My working solution is:
Empty shiro.ini except for [user] section
Login:
currentUser = new Subject.Builder().buildSubject();
currentUser.login(token);
currentUser.getSession(true);
Retrieve Session by sessionID (logged in user)
new
Subject.Builder().sessionId(sessionId).buildSubject().getSession();
Logout
currentUser = new
Subject.Builder().sessionId(sessionID).buildSubject();
currentUser.logout();
This is working very well, but is it the correct way to achieve what I want
?
thanks
On Tue, Jan 4, 2011 at 9:25 PM, Les Hazlewood <lh...@apache.org> wrote:
> Hi Francesco,
>
> Your logic is exactly correct, with one caveat: passing a session id
> manually _only_ works when using Shiro's native sessions. There is no
> way to obtain a session from the ServletContainer based on a session
> ID. Therefore, you need to ensure that you're using Shiro's native
> sessions and _not_ the servlet container sessions (which are used by
> default).
>
> In Shiro's INI, you can configure this easily:
>
> securityManager.sessionMode = native
> # you can also disable the session cookie entirely after native
> sessions are enabled:
> securityManager.sessionManager.sessionIdCookieEnabled = false
>
> That should work. Please let us know how it goes!
>
> Cheers,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and
> Training:
> http://www.katasoft.com
>
>
> On Sun, Jan 2, 2011 at 5:36 AM, Francesco Pasqualini <fr...@gmail.com>
> wrote:
> > Hi,
> > I really like shiro API and approach.
> > I'm trying to use shiro with GWT.
> > But it seems there is a problem.
> > Accordinly to GWT "login security faq" I need to avoid to use, in server
> > side, the session id retrieved from cookie but I must pass it in the
> payload
> > of the RPC request.
> >
> http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
> > So I implemented my GWT+shiro as follow:
> > 1) when user start login: obtain the new shiro sessionId, pass to the
> > client, and store in the client to pass back to the server
> > 2) when a logged user do an RPC request : pass the stored sessionId from
> > client to server in the payload of the RPC request, and server side I
> access
> > the session this
> > way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
> > But my code does not not work.
> > When the user logout and login again shiro does not provide a new
> sessionId,
> > but keep using the old one that is no more valid (logout), so I have the
> > following Exception when try to login with shiro
> (currentUser.login(token)):
> > "There is no session with id [the old ID]".
> > Is there a way a way to tell shiro to not use the sesionId passed with
> > cookies but only the one "programmatically" passed ?
> > thanks
>
Re: shiro + GWT problem
Posted by Les Hazlewood <lh...@apache.org>.
Hi Francesco,
Your logic is exactly correct, with one caveat: passing a session id
manually _only_ works when using Shiro's native sessions. There is no
way to obtain a session from the ServletContainer based on a session
ID. Therefore, you need to ensure that you're using Shiro's native
sessions and _not_ the servlet container sessions (which are used by
default).
In Shiro's INI, you can configure this easily:
securityManager.sessionMode = native
# you can also disable the session cookie entirely after native
sessions are enabled:
securityManager.sessionManager.sessionIdCookieEnabled = false
That should work. Please let us know how it goes!
Cheers,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Sun, Jan 2, 2011 at 5:36 AM, Francesco Pasqualini <fr...@gmail.com> wrote:
> Hi,
> I really like shiro API and approach.
> I'm trying to use shiro with GWT.
> But it seems there is a problem.
> Accordinly to GWT "login security faq" I need to avoid to use, in server
> side, the session id retrieved from cookie but I must pass it in the payload
> of the RPC request.
> http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
> So I implemented my GWT+shiro as follow:
> 1) when user start login: obtain the new shiro sessionId, pass to the
> client, and store in the client to pass back to the server
> 2) when a logged user do an RPC request : pass the stored sessionId from
> client to server in the payload of the RPC request, and server side I access
> the session this
> way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
> But my code does not not work.
> When the user logout and login again shiro does not provide a new sessionId,
> but keep using the old one that is no more valid (logout), so I have the
> following Exception when try to login with shiro (currentUser.login(token)):
> "There is no session with id [the old ID]".
> Is there a way a way to tell shiro to not use the sesionId passed with
> cookies but only the one "programmatically" passed ?
> thanks
Re: shiro + GWT problem
Posted by Francesco Pasqualini <fr...@gmail.com>.
Hi,
I solved my problem. I discover (disabling coockies) that It wasn't a
cookies related problem.
I changed my code.
When user login I changed a line as follow:
//currentUser = SecurityUtils.getSubject(); // NOT working !
currentUser = new Subject.Builder().buildSubject();
currentUser.login(token);
currentUser.getSession(true);
Now everything works.
Don't know if there is a bug in shiro: it seems that
SecurityUtils.getSubject() retains disconnected session id.
Francesco
On Sun, Jan 2, 2011 at 11:36 AM, Francesco Pasqualini <fr...@gmail.com>wrote:
> Hi,
> I really like shiro API and approach.
> I'm trying to use shiro with GWT.
> But it seems there is a problem.
>
> Accordinly to GWT "login security faq" I need to avoid to use, in server
> side, the session id retrieved from cookie but I must pass it in the payload
> of the RPC request.
>
> http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
>
> So I implemented my GWT+shiro as follow:
>
> 1) when user start login: obtain the new shiro sessionId, pass to the
> client, and store in the client to pass back to the server
> 2) when a logged user do an RPC request : pass the stored sessionId from
> client to server in the payload of the RPC request, and server side I access
> the session this
> way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
>
> But my code does not not work.
> When the user logout and login again shiro does not provide a new
> sessionId, but keep using the old one that is no more valid (logout), so I
> have the following Exception when try to login with shiro
> (currentUser.login(token)): "There is no session with id [the old ID]".
>
> Is there a way a way to tell shiro to not use the sesionId passed with
> cookies but only the one "programmatically" passed ?
>
> thanks
>
>
>
>
>