You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Vampyress86 <l-...@hotmail.co.uk> on 2011/10/31 17:54:44 UTC
Setting up Shiro to work with spring and Jersey/Jackson
I am new to both Spring and Shiro so please bear with me if I fail to word my
problem correctly. I am developing a restful web service in Spring MVC and
it is necessary to secure the system against unauthorised usage and my
project manager wants to use Shiro as the solution. At the moment our
primary concern is just a basic authentication system when a user performs
an action upon a resource. I have been through multiple examples of setting
up Shiro and none of them seem to work for my implementation and was
wondering if it would be possible to recieve some guidance as to where I
might be going wrong.
My current web.xml implementation:
/
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
# The IniShiroFilter configuration is very powerful and
flexible, while still remaining succinct.
# Please read the
org.apache.shiro.web.servlet.IniShiroFilter JavaDoc for information.
# Quick Tip: Instead of having this configuration here in
web.xml, you can instead
# move all of this to a 'shiro.ini' file at the root of the
classpath and remove
# the 'config' init-param. Or you can specify the
'configPath' init-param and specify the
# path to a resource at any location (url, file or
classpath). This may be desired if the
# config gets long and you want to keep web.xml clean.
[users]
# format: username = password, role1, role2, ..., roleN
root = secret,admin
guest = guest,guest
presidentskroob = 12345,president,admin
darkhelmet = ludicrousspeed,darklord,schwartz
lonestarr = vespa,goodguy,schwartz
[roles]
# format; roleName = permission1, permission2, ...,
permissionN
admin = *
schwartz = lightsaber:*
goodguy = winnebago:drive:eagle5
[urls]
/ipf/** = authcBasic
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>ServletAdaptor</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ServletAdaptor</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
</web-app>/
----------------------------------------------
And my application context so you can getter a better understanding of the
services general implementation:
-----------------------------------------------
/
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
">
<context:annotation-config />
<tx:annotation-driven />
<bean id="farmDAO" class="com.ipf.persistance.JpaFarmDAO" />
<bean id="farmerDAO" class="com.ipf.persistance.JpaFarmerDAO" />
<bean id="farmeradvisorDAO"
class="com.ipf.persistance.JpaFarmerAdvisorDAO" />
<bean id="timingDAO" class="com.ipf.persistance.JpaTimingDAO" />
<bean id="varietyDAO" class="com.ipf.persistance.JpaVarietyDAO" />
<bean id="cropDAO" class="com.ipf.persistance.JpaCropDAO" />
<bean id="farmercropDAO" class="com.ipf.persistance.JpaFarmerCropDAO" />
<bean id="zoneDAO" class="com.ipf.persistance.JpaZoneDAO" />
<bean id="transactionManager"
class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory"/>
<property name="dataSource" ref="dataSource"/>
</bean>
<bean id="persistenceAnnotation"
class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor"
/>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${db.driverClass}" />
<property name="url" value="${db.connectionURL}" />
<property name="username" value="${db.username}" />
<property name="password" value="${db.password}" />
</bean>
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="jpaVendorAdapter" ref="jpaVendorAdapter" />
</bean>
<bean id="jpaVendorAdapter"
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="POSTGRESQL" />
<property name="showSql" value="true"/>
<property name="generateDdl" value="false"/>
<property name="databasePlatform"
value="org.hibernate.dialect.PostgreSQLDialect" />
</bean>
</beans>
/
-------------------------------------------------------
The problem I am currently facing is that the resources are still available
no matter what configuration option I use. I should also mention I have
tried the method of including the ini data in a file and setting up Shiro
through beans however the result remained the same. There are no compilation
errors to indicate a problem but the login page I would expect is not
available and resources are returned normally.
I am curious as to whether I am totally barking up the wrong tree or if I am
relatively close in how I am trying to progress.
Thankyou for your time! :)
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Setting-up-Shiro-to-work-with-spring-and-Jersey-Jackson-tp6948893p6948893.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Setting up Shiro to work with spring and Jersey/Jackson
Posted by Manoj Khangaonkar <kh...@gmail.com>.
Hi,
Please take a look at the Spring sample. Your web.xml seems to be
missing the filter
org.springframework.web.filter.DelegatingFilterProxy
On Tue, Nov 1, 2011 at 2:03 AM, Vampyress86 <l-...@hotmail.co.uk> wrote:
> Forgive me I posted the wrong web.xml, the web.xml I posted was for a test
> application which I had been working on. The correct web.xml is as follows:
>
> /<?xml version="1.0" encoding="UTF-8"?>
> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_4.xsd">
>
> <context-param>
> <param-name>contextConfigLocation</param-name>
> <param-value>
> /WEB-INF/spring/root-context.xml
> </param-value>
> </context-param>
> <filter>
> <filter-name>ShiroFilter</filter-name>
>
> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
> <init-param>
> <param-name>config</param-name>
> <param-value>
>
> # The IniShiroFilter configuration is very powerful and
> flexible, while still remaining succinct.
> # Please read the
> org.apache.shiro.web.servlet.IniShiroFilter JavaDoc for information.
>
> # Quick Tip: Instead of having this configuration here in
> web.xml, you can instead
> # move all of this to a 'shiro.ini' file at the root of the
> classpath and remove
> # the 'config' init-param. Or you can specify the
> 'configPath' init-param and specify the
> # path to a resource at any location (url, file or
> classpath). This may be desired if the
> # config gets long and you want to keep web.xml clean.
>
> [users]
> # format: username = password, role1, role2, ..., roleN
> root = secret,admin
> guest = guest,guest
> presidentskroob = 12345,president,admin
> darkhelmet = ludicrousspeed,darklord,schwartz
> lonestarr = vespa,goodguy,schwartz
>
> [roles]
> # format; roleName = permission1, permission2, ...,
> permissionN
> admin = *
> schwartz = lightsaber:*
> goodguy = winnebago:drive:eagle5
>
> [urls]
> /ipf/** = authcBasic
>
> </param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
>
> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
> </listener>
>
> <servlet>
> <servlet-name>appServlet</servlet-name>
>
> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
> <init-param>
> <param-name>contextConfigLocation</param-name>
>
> <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
> </init-param>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>appServlet</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
> </web-app>/
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Setting-up-Shiro-to-work-with-spring-and-Jersey-Jackson-tp6948893p6951002.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
--
http://khangaonkar.blogspot.com/
Re: Setting up Shiro to work with spring and Jersey/Jackson
Posted by Vampyress86 <l-...@hotmail.co.uk>.
Forgive me I posted the wrong web.xml, the web.xml I posted was for a test
application which I had been working on. The correct web.xml is as follows:
/<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_4.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
</param-value>
</context-param>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
# The IniShiroFilter configuration is very powerful and
flexible, while still remaining succinct.
# Please read the
org.apache.shiro.web.servlet.IniShiroFilter JavaDoc for information.
# Quick Tip: Instead of having this configuration here in
web.xml, you can instead
# move all of this to a 'shiro.ini' file at the root of the
classpath and remove
# the 'config' init-param. Or you can specify the
'configPath' init-param and specify the
# path to a resource at any location (url, file or
classpath). This may be desired if the
# config gets long and you want to keep web.xml clean.
[users]
# format: username = password, role1, role2, ..., roleN
root = secret,admin
guest = guest,guest
presidentskroob = 12345,president,admin
darkhelmet = ludicrousspeed,darklord,schwartz
lonestarr = vespa,goodguy,schwartz
[roles]
# format; roleName = permission1, permission2, ...,
permissionN
admin = *
schwartz = lightsaber:*
goodguy = winnebago:drive:eagle5
[urls]
/ipf/** = authcBasic
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>/
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Setting-up-Shiro-to-work-with-spring-and-Jersey-Jackson-tp6948893p6951002.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Setting up Shiro to work with spring and Jersey/Jackson
Posted by Manoj Khangaonkar <kh...@gmail.com>.
Hi ,
The only urls that are secured are
[urls]
/ipf/** = authcBasic
But your REST APIs seem to be at
<servlet-mapping>
<servlet-name>ServletAdaptor</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
Is it /rest/* that you need to secure ? If yes, then you might change
the ini config.
Manoj
On Mon, Oct 31, 2011 at 9:54 AM, Vampyress86
<l-...@hotmail.co.uk> wrote:
> I am new to both Spring and Shiro so please bear with me if I fail to word my
> problem correctly. I am developing a restful web service in Spring MVC and
> it is necessary to secure the system against unauthorised usage and my
> project manager wants to use Shiro as the solution. At the moment our
> primary concern is just a basic authentication system when a user performs
> an action upon a resource. I have been through multiple examples of setting
> up Shiro and none of them seem to work for my implementation and was
> wondering if it would be possible to recieve some guidance as to where I
> might be going wrong.
>
> My current web.xml implementation:
> /
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
>
> <filter>
> <filter-name>ShiroFilter</filter-name>
>
> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
> <init-param>
> <param-name>config</param-name>
> <param-value>
>
> # The IniShiroFilter configuration is very powerful and
> flexible, while still remaining succinct.
> # Please read the
> org.apache.shiro.web.servlet.IniShiroFilter JavaDoc for information.
>
> # Quick Tip: Instead of having this configuration here in
> web.xml, you can instead
> # move all of this to a 'shiro.ini' file at the root of the
> classpath and remove
> # the 'config' init-param. Or you can specify the
> 'configPath' init-param and specify the
> # path to a resource at any location (url, file or
> classpath). This may be desired if the
> # config gets long and you want to keep web.xml clean.
>
> [users]
> # format: username = password, role1, role2, ..., roleN
> root = secret,admin
> guest = guest,guest
> presidentskroob = 12345,president,admin
> darkhelmet = ludicrousspeed,darklord,schwartz
> lonestarr = vespa,goodguy,schwartz
>
> [roles]
> # format; roleName = permission1, permission2, ...,
> permissionN
> admin = *
> schwartz = lightsaber:*
> goodguy = winnebago:drive:eagle5
>
> [urls]
> /ipf/** = authcBasic
>
> </param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <servlet>
> <servlet-name>ServletAdaptor</servlet-name>
>
> <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
> <load-on-startup>1</load-on-startup>
> </servlet>
> > <session-config>
> <session-timeout>
> 30
> </session-timeout>
> </session-config>
> </web-app>/
> ----------------------------------------------
> And my application context so you can getter a better understanding of the
> services general implementation:
> -----------------------------------------------
> /
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:context="http://www.springframework.org/schema/context"
> xmlns:tx="http://www.springframework.org/schema/tx"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://www.springframework.org/schema/context
> http://www.springframework.org/schema/context/spring-context.xsd
> http://www.springframework.org/schema/tx
> http://www.springframework.org/schema/tx/spring-tx.xsd
> ">
>
> <context:annotation-config />
> <tx:annotation-driven />
>
> <bean id="farmDAO" class="com.ipf.persistance.JpaFarmDAO" />
> <bean id="farmerDAO" class="com.ipf.persistance.JpaFarmerDAO" />
> <bean id="farmeradvisorDAO"
> class="com.ipf.persistance.JpaFarmerAdvisorDAO" />
> <bean id="timingDAO" class="com.ipf.persistance.JpaTimingDAO" />
> <bean id="varietyDAO" class="com.ipf.persistance.JpaVarietyDAO" />
> <bean id="cropDAO" class="com.ipf.persistance.JpaCropDAO" />
> <bean id="farmercropDAO" class="com.ipf.persistance.JpaFarmerCropDAO" />
> <bean id="zoneDAO" class="com.ipf.persistance.JpaZoneDAO" />
>
> <bean id="transactionManager"
> class="org.springframework.orm.jpa.JpaTransactionManager">
> <property name="entityManagerFactory" ref="entityManagerFactory"/>
> <property name="dataSource" ref="dataSource"/>
> </bean>
>
> <bean id="persistenceAnnotation"
> class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor"
> />
>
> <bean id="dataSource"
> class="org.springframework.jdbc.datasource.DriverManagerDataSource">
> <property name="driverClassName" value="${db.driverClass}" />
> <property name="url" value="${db.connectionURL}" />
> <property name="username" value="${db.username}" />
> <property name="password" value="${db.password}" />
> </bean>
>
> <bean id="entityManagerFactory"
>
> class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
> <property name="dataSource" ref="dataSource" />
> <property name="jpaVendorAdapter" ref="jpaVendorAdapter" />
> </bean>
>
> <bean id="jpaVendorAdapter"
>
> class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
> <property name="database" value="POSTGRESQL" />
> <property name="showSql" value="true"/>
> <property name="generateDdl" value="false"/>
> <property name="databasePlatform"
> value="org.hibernate.dialect.PostgreSQLDialect" />
> </bean>
>
> </beans>
> /
>
>
> -------------------------------------------------------
>
> The problem I am currently facing is that the resources are still available
> no matter what configuration option I use. I should also mention I have
> tried the method of including the ini data in a file and setting up Shiro
> through beans however the result remained the same. There are no compilation
> errors to indicate a problem but the login page I would expect is not
> available and resources are returned normally.
>
> I am curious as to whether I am totally barking up the wrong tree or if I am
> relatively close in how I am trying to progress.
>
> Thankyou for your time! :)
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Setting-up-Shiro-to-work-with-spring-and-Jersey-Jackson-tp6948893p6948893.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
--
http://khangaonkar.blogspot.com/