You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "jonathan.labin" <jo...@gmail.com> on 2016/03/14 20:05:11 UTC
Realm Exception Handling
I have a web application secured by Shiro configured with a custom realm that
loads authorization information from a database.
There are a number of error cases that the realm can face.
These include things like the user not found in the database, or the user
account is marked as disabled.
Currently these cases are handled by throwing an AuthorizationException
however this ultimately results in a HTTP 500 error being displayed to the
user.
What is the recommended method of handling these exception cases? Is there
a way to catch these exceptions and redirect the browser to an error page?
Thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Realm Exception Handling
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Actually, I misread your post slightly. We don't throw exceptions in doGetAuthorization method just doGetAuthentication method.
The former just needs to fill out permissions and roles and should not throw exceptions. If something goes wrong it should just return with the empty permissions and roles list.
> On Mar 14, 2016, at 3:53 PM, jonathan.labin <jo...@gmail.com> wrote:
>
> Hmm. Well that is welcome confirmation.
>
> I have an unauthorizedUrl value set for the URL filters (roles, perms, and
> casRoles).
> But I can understand that none of these filters are even processing yet when
> an exception is thrown by the realm during doGetAuthorizationInfo.
>
> Is there an additional object onto which you are setting a unauthorizedUrl
> value?
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580985.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Realm Exception Handling
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Nope. Your configuration looks reasonable.
Things should work correctly in your setup but they don't for some reason.
> On Mar 14, 2016, at 3:53 PM, jonathan.labin <jo...@gmail.com> wrote:
>
> Hmm. Well that is welcome confirmation.
>
> I have an unauthorizedUrl value set for the URL filters (roles, perms, and
> casRoles).
> But I can understand that none of these filters are even processing yet when
> an exception is thrown by the realm during doGetAuthorizationInfo.
>
> Is there an additional object onto which you are setting a unauthorizedUrl
> value?
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580985.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Realm Exception Handling
Posted by "jonathan.labin" <jo...@gmail.com>.
Hmm. Well that is welcome confirmation.
I have an unauthorizedUrl value set for the URL filters (roles, perms, and
casRoles).
But I can understand that none of these filters are even processing yet when
an exception is thrown by the realm during doGetAuthorizationInfo.
Is there an additional object onto which you are setting a unauthorizedUrl
value?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580985.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Realm Exception Handling
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
In my setup, unauthorized users are correctly redirected to unauthizedURL page.
I see you have unauthorizedURL page set up in your shiro.ini, so it should work just fine.
I am not sure why it deoesn’t work for you, but we have a database AuthorizingRealm
that throws org.apache.shiro.authz.AuthorizationException and it redirects properly to a proper page
> On Mar 14, 2016, at 3:45 PM, jonathan.labin <jo...@gmail.com> wrote:
>
> My system is correctly redirecting to the login page for authentication.
> This is after authentication, in a separate authorization realm.
>
> However, regardless of the realm being an authenticating or authorizing
> realm (or both). My question is about exceptions that are thrown by that
> realm and what methods there are for catching and handling those exceptions
> in a useful way (for example redirecting to an error page).
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580983.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Realm Exception Handling
Posted by "jonathan.labin" <jo...@gmail.com>.
My system is correctly redirecting to the login page for authentication.
This is after authentication, in a separate authorization realm.
However, regardless of the realm being an authenticating or authorizing
realm (or both). My question is about exceptions that are thrown by that
realm and what methods there are for catching and handling those exceptions
in a useful way (for example redirecting to an error page).
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580983.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Realm Exception Handling
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Not sure from your stack trace. Are you including the “caused by” stack traces?
In my setup, it goes back to the login page, but I don’t use CAS, perhaps there is something
CAS-specific you need to do to redirect to a login page when unauthenticated.
No exceptions show up in the logs when user is redirected to login paage
> On Mar 14, 2016, at 3:34 PM, jonathan.labin <jo...@gmail.com> wrote:
>
> Sure. But while I get those together. What is the result when you have
> exceptions?
>
> [main]
> subjectFactory = io.buji.pac4j.ClientSubjectFactory
> securityManager.subjectFactory = $subjectFactory
>
> # CAS Provider
> casClient = org.pac4j.cas.client.CasClient
> casClient.casLoginUrl = casUrl
> rolesFromLdap = my.org.RolesFromLdapMemberOfAuthGen
> casClient.authorizationGenerator = $rolesFromLdap
> resolver=my.org.GswCallbackUrlResolver
> casClient.callbackUrlResolver = $resolver
>
> clients = org.pac4j.core.client.Clients
> clients.callbackUrl = callback
> clients.clientsList = $casClient
>
> clientsRealm = io.buji.pac4j.ClientRealm
> clientsRealm.defaultRoles = ROLE_USER
> clientsRealm.clients = $clients
>
> clientsFilter = io.buji.pac4j.ClientFilter
> clientsFilter.clients = $clients
>
> casRoles = io.buji.pac4j.filter.ClientRolesAuthorizationFilter
> casRoles.client = $casClient
> casRoles.unauthorizedUrl = 401error.jsp
>
> jpaRealm = my.org.AuthzOnlyJpaRealm
>
> securityManager.realms = $clientsRealm, $jpaRealm
>
> roles.unauthorizedUrl = /401error.jsp
> perms.unauthorizedUrl = /401error.jsp
>
> ssl.port = 8181
>
> [urls]
> /callback = clientsFilter
> /logout = logout
> /401error.jsp = anon
> /** = ssl, casRoles[ROLE_USER], roles[observer]
>
>
> 2016-03-14T17:54:09.748+0000|Info: 2016-03-14 17:54:09,747 ERROR [Process
> 116760@hostname:38] --- | --- | --- | my.org.AuthzOnlyJpaRealm | There was a
> JPA error while authorizing user [test]
> org.apache.shiro.authz.AuthorizationException: User: test is not enabled
> at
> my.org.AuthzOnlyJpaRealm.doGetAuthorizationInfo(AuthzOnlyJpaRealm.java:193)
> at
> org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
> at
> org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573)
> at
> org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
> at
> org.apache.shiro.authz.ModularRealmAuthorizer.hasAllRoles(ModularRealmAuthorizer.java:407)
> at
> org.apache.shiro.mgt.AuthorizingSecurityManager.hasAllRoles(AuthorizingSecurityManager.java:161)
> at
> org.apache.shiro.subject.support.DelegatingSubject.hasAllRoles(DelegatingSubject.java:236)
> at
> org.apache.shiro.web.filter.authz.RolesAuthorizationFilter.isAccessAllowed(RolesAuthorizationFilter.java:52)
> at
> org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
> at
> org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
> at
> org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> at
> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> at
> org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
> at
> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
> at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
> at
> org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:416)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:283)
> at
> com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
> at
> com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
> at
> org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:206)
> at
> org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:180)
> at
> org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
> at
> org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
> at
> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
> at
> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
> at
> org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
> at
> org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
> at
> org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
> at
> org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536)
> at
> org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
> at
> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
> at
> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
> at
> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
> at
> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
> at
> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
> at java.lang.Thread.run(Thread.java:745)
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580981.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Realm Exception Handling
Posted by "jonathan.labin" <jo...@gmail.com>.
Sure. But while I get those together. What is the result when you have
exceptions?
[main]
subjectFactory = io.buji.pac4j.ClientSubjectFactory
securityManager.subjectFactory = $subjectFactory
# CAS Provider
casClient = org.pac4j.cas.client.CasClient
casClient.casLoginUrl = casUrl
rolesFromLdap = my.org.RolesFromLdapMemberOfAuthGen
casClient.authorizationGenerator = $rolesFromLdap
resolver=my.org.GswCallbackUrlResolver
casClient.callbackUrlResolver = $resolver
clients = org.pac4j.core.client.Clients
clients.callbackUrl = callback
clients.clientsList = $casClient
clientsRealm = io.buji.pac4j.ClientRealm
clientsRealm.defaultRoles = ROLE_USER
clientsRealm.clients = $clients
clientsFilter = io.buji.pac4j.ClientFilter
clientsFilter.clients = $clients
casRoles = io.buji.pac4j.filter.ClientRolesAuthorizationFilter
casRoles.client = $casClient
casRoles.unauthorizedUrl = 401error.jsp
jpaRealm = my.org.AuthzOnlyJpaRealm
securityManager.realms = $clientsRealm, $jpaRealm
roles.unauthorizedUrl = /401error.jsp
perms.unauthorizedUrl = /401error.jsp
ssl.port = 8181
[urls]
/callback = clientsFilter
/logout = logout
/401error.jsp = anon
/** = ssl, casRoles[ROLE_USER], roles[observer]
2016-03-14T17:54:09.748+0000|Info: 2016-03-14 17:54:09,747 ERROR [Process
116760@hostname:38] --- | --- | --- | my.org.AuthzOnlyJpaRealm | There was a
JPA error while authorizing user [test]
org.apache.shiro.authz.AuthorizationException: User: test is not enabled
at
my.org.AuthzOnlyJpaRealm.doGetAuthorizationInfo(AuthzOnlyJpaRealm.java:193)
at
org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341)
at
org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:573)
at
org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374)
at
org.apache.shiro.authz.ModularRealmAuthorizer.hasAllRoles(ModularRealmAuthorizer.java:407)
at
org.apache.shiro.mgt.AuthorizingSecurityManager.hasAllRoles(AuthorizingSecurityManager.java:161)
at
org.apache.shiro.subject.support.DelegatingSubject.hasAllRoles(DelegatingSubject.java:236)
at
org.apache.shiro.web.filter.authz.RolesAuthorizationFilter.isAccessAllowed(RolesAuthorizationFilter.java:52)
at
org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
at
org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
at
org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:416)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:283)
at
com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
at
org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:206)
at
org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:180)
at
org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
at
org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
at
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:536)
at
org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:591)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:571)
at java.lang.Thread.run(Thread.java:745)
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979p7580981.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Realm Exception Handling
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
I have pretty similar setup to yours, but for me the exception doesn’t result in HTTP 500 errors.
Can you send your shiro.ini and full exception trace, including the “cause"?
Thanks
> On Mar 14, 2016, at 3:05 PM, jonathan.labin <jo...@gmail.com> wrote:
>
> I have a web application secured by Shiro configured with a custom realm that
> loads authorization information from a database.
> There are a number of error cases that the realm can face.
> These include things like the user not found in the database, or the user
> account is marked as disabled.
>
> Currently these cases are handled by throwing an AuthorizationException
> however this ultimately results in a HTTP 500 error being displayed to the
> user.
>
> What is the recommended method of handling these exception cases? Is there
> a way to catch these exceptions and redirect the browser to an error page?
>
> Thanks.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Realm-Exception-Handling-tp7580979.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>