You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by "Nouwt, B. (Barry)" <ba...@tno.nl.INVALID> on 2020/06/05 13:44:06 UTC
[Jena Permissions] Fuseki Main
Hi all, thanks for Apache Jena.
We are using Fuseki Main (embedded) together with a password file that configures Jetty's security settings. We are also using Jena Permissions and a custom SecurityEvaluator and we are wondering how to implement the SecurityEvaluator#getPrincipal() method when using Fuseki Embedded. In the Fuseki as a web application (which uses Shiro for its security), we were able to use Shiro's SecurityUtils.getSubject() method in the getPrincipal() method to retrieve the currently logged in user, but how can we achieve this using Jetty? I'm searching for a static method in Jetty's security that returns the currently logged in user, but until now I've only found ways to get the current user via the HttpRequest. But we do not have access to that within the SecurityEvaluator.
Any ideas?
Thanks in advance!
Barry
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
RE: [Jena Permissions] Fuseki Main
Posted by "Nouwt, B. (Barry)" <ba...@tno.nl.INVALID>.
Hey Andy, thanks for the effort!
After my post I disabled Jetty default security and added a ShiroFilter to Fuseki's Jetty by using a similar method as you describe below. My code looks like:
Server jettyServer = fusekiServer.getJettyServer();
ServletContextHandler h = (ServletContextHandler) jettyServer.getHandler();
// for shiro
EnvironmentLoaderListener ell = new EnvironmentLoaderListener();
h.addEventListener(ell);
ServletHandler servletHandler = h.getServletHandler();
List<FilterMapping> mappings = new ArrayList<FilterMapping>(Arrays.asList(servletHandler.getFilterMappings()));
List<FilterHolder> holders = new ArrayList<FilterHolder>(Arrays.asList(servletHandler.getFilters()));
//add shiro
FilterHolder holder1 = new FilterHolder();
holder1.setFilter(new ShiroFilter());
FilterMapping mapping1 = new FilterMapping();
mapping1.setFilterName(holder1.getName());
mapping1.setPathSpec("/*");
mapping1.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
mappings.add(0, mapping1);
holders.add(0, holder1);
FilterMapping[] mappings3 = new FilterMapping[mappings.size()];
mappings3 = mappings.toArray(mappings3);
FilterHolder[] holders3 = new FilterHolder[holders.size()];
holders3 = holders.toArray(holders3);
servletHandler.setFilters(holders3);
servletHandler.setFilterMappings(mappings3);
// Specify the Session ID Manager
SessionIdManager idmanager = new DefaultSessionIdManager(jettyServer);
jettyServer.setSessionIdManager(idmanager);
// Specify the session handler
SessionHandler sessionsHandler = new SessionHandler();
sessionsHandler.setUsingCookies(false);
servletHandler.setHandler(sessionsHandler);
server.start();
Note that the setUsingCookies(false) was necessary, because otherwise it would use the user of my first request for all subsequent requests as well, despite me changing the username and password (using Postman).
For now, this satisfies my requirements.
Regards, Barry
-----Original Message-----
From: Andy Seaborne <an...@apache.org>
Sent: zaterdag 6 juni 2020 15:44
To: users@jena.apache.org
Subject: Re: [Jena Permissions] Fuseki Main
Barry,
Hack for 3.15.0:
Example of installing a wrapper servlet filter in Apache jena Fuseki 3.15.0.
That servlet can put the Principal in ThreadLocal as a last resort to not having any access tot the servlet request or context.
Don't format to remove cached Principal object after the call to FusekiFilter!
https://gist.github.com/afs/0fc46097c4f8930ac12da9ca69fc42a8
Minimally tested.
Andy
On 06/06/2020 09:51, Andy Seaborne wrote:
> Hi Barry,
>
> On 05/06/2020 14:44, Nouwt, B. (Barry) wrote:
>> Hi all, thanks for Apache Jena.
>>
>> We are using Fuseki Main (embedded) together with a password file
>> that configures Jetty's security settings. We are also using Jena
>> Permissions and a custom SecurityEvaluator and we are wondering how
>> to implement the SecurityEvaluator#getPrincipal() method when using
>> Fuseki Embedded. In the Fuseki as a web application (which uses Shiro
>> for its security), we were able to use Shiro's
>> SecurityUtils.getSubject() method in the getPrincipal() method to
>> retrieve the currently logged in user, but how can we achieve this
>> using Jetty? I'm searching for a static method in Jetty's security
>> that returns the currently logged in user, but until now I've only
>> found ways to get the current user via the HttpRequest. But we do not
>> have access to that within the SecurityEvaluator.
>
> Shiro seems to be putting the putting the principal into a map held in
> a ThreadLocal.
>
> Either doing that as a additional feature or having a way to tap into
> the auth-dispatch cycle so that user can can decide to do it seems
> reasonable. The latter - a general hook of some kind - would mean the
> request could be inspected for this or other things.
>
> For the current released code, I haven't found a way to manipulate the
> Jetty server. I had hoped to mess around with the Jetty structure and
> insert a filter but I can't find a way in Jetty9 yet. Got close (I can
> find the FusekiFilter) but changes aren't being see by the server and
> the usual dispatch still occurs. Some code in Jetty is taking a copy
> of structures.
>
> FusekiServer.Builder does support adding servlet Filters to the server
> added but they go after the Fuseki dispatcher so don't help.
>
> A simple code change is use FusekiServer.Builder.addFilter and change
> servletsAndFilters move to line 1008 [1] to 995 [2], just before the
> FusekiFilter is created.
>
> Andy
>
> BTW Is there any reason not to have the CORS filter always present in
> Fuseki main? e.g. Newer yasgui's loaded from unpkg.com require it.
>
> [1]
> https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-ma
> in/src/main/java/org/apache/jena/fuseki/main/FusekiServer.java#L1008
>
>
> [2]
> https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-ma
> in/src/main/java/org/apache/jena/fuseki/main/FusekiServer.java#L1008
>
>
>
>>
>> Any ideas?
>>
>> Thanks in advance!
>>
>> Barry
>> This message may contain information that is not intended for you. If
>> you are not the addressee or if this message was sent to you by
>> mistake, you are requested to inform the sender and delete the
>> message. TNO accepts no liability for the content of this e-mail, for
>> the manner in which you use it and for damage of any kind resulting
>> from the risks inherent to the electronic transmission of messages.
>>
Re: [Jena Permissions] Fuseki Main
Posted by Andy Seaborne <an...@apache.org>.
Barry,
Hack for 3.15.0:
Example of installing a wrapper servlet filter in Apache jena Fuseki 3.15.0.
That servlet can put the Principal in ThreadLocal as a last resort to
not having any access tot the servlet request or context.
Don't format to remove cached Principal object after the call to
FusekiFilter!
https://gist.github.com/afs/0fc46097c4f8930ac12da9ca69fc42a8
Minimally tested.
Andy
On 06/06/2020 09:51, Andy Seaborne wrote:
> Hi Barry,
>
> On 05/06/2020 14:44, Nouwt, B. (Barry) wrote:
>> Hi all, thanks for Apache Jena.
>>
>> We are using Fuseki Main (embedded) together with a password file that
>> configures Jetty's security settings. We are also using Jena
>> Permissions and a custom SecurityEvaluator and we are wondering how to
>> implement the SecurityEvaluator#getPrincipal() method when using
>> Fuseki Embedded. In the Fuseki as a web application (which uses Shiro
>> for its security), we were able to use Shiro's
>> SecurityUtils.getSubject() method in the getPrincipal() method to
>> retrieve the currently logged in user, but how can we achieve this
>> using Jetty? I'm searching for a static method in Jetty's security
>> that returns the currently logged in user, but until now I've only
>> found ways to get the current user via the HttpRequest. But we do not
>> have access to that within the SecurityEvaluator.
>
> Shiro seems to be putting the putting the principal into a map held in a
> ThreadLocal.
>
> Either doing that as a additional feature or having a way to tap into
> the auth-dispatch cycle so that user can can decide to do it seems
> reasonable. The latter - a general hook of some kind - would mean the
> request could be inspected for this or other things.
>
> For the current released code, I haven't found a way to manipulate the
> Jetty server. I had hoped to mess around with the Jetty structure and
> insert a filter but I can't find a way in Jetty9 yet. Got close (I can
> find the FusekiFilter) but changes aren't being see by the server and
> the usual dispatch still occurs. Some code in Jetty is taking a copy of
> structures.
>
> FusekiServer.Builder does support adding servlet Filters to the server
> added but they go after the Fuseki dispatcher so don't help.
>
> A simple code change is use FusekiServer.Builder.addFilter and change
> servletsAndFilters move to line 1008 [1] to 995 [2], just before the
> FusekiFilter is created.
>
> Andy
>
> BTW Is there any reason not to have the CORS filter always present in
> Fuseki main? e.g. Newer yasgui's loaded from unpkg.com require it.
>
> [1]
> https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-main/src/main/java/org/apache/jena/fuseki/main/FusekiServer.java#L1008
>
>
> [2]
> https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-main/src/main/java/org/apache/jena/fuseki/main/FusekiServer.java#L1008
>
>
>
>>
>> Any ideas?
>>
>> Thanks in advance!
>>
>> Barry
>> This message may contain information that is not intended for you. If
>> you are not the addressee or if this message was sent to you by
>> mistake, you are requested to inform the sender and delete the
>> message. TNO accepts no liability for the content of this e-mail, for
>> the manner in which you use it and for damage of any kind resulting
>> from the risks inherent to the electronic transmission of messages.
>>
Re: [Jena Permissions] Fuseki Main
Posted by Andy Seaborne <an...@apache.org>.
Hi Barry,
On 05/06/2020 14:44, Nouwt, B. (Barry) wrote:
> Hi all, thanks for Apache Jena.
>
> We are using Fuseki Main (embedded) together with a password file that configures Jetty's security settings. We are also using Jena Permissions and a custom SecurityEvaluator and we are wondering how to implement the SecurityEvaluator#getPrincipal() method when using Fuseki Embedded. In the Fuseki as a web application (which uses Shiro for its security), we were able to use Shiro's SecurityUtils.getSubject() method in the getPrincipal() method to retrieve the currently logged in user, but how can we achieve this using Jetty? I'm searching for a static method in Jetty's security that returns the currently logged in user, but until now I've only found ways to get the current user via the HttpRequest. But we do not have access to that within the SecurityEvaluator.
Shiro seems to be putting the putting the principal into a map held in a
ThreadLocal.
Either doing that as a additional feature or having a way to tap into
the auth-dispatch cycle so that user can can decide to do it seems
reasonable. The latter - a general hook of some kind - would mean the
request could be inspected for this or other things.
For the current released code, I haven't found a way to manipulate the
Jetty server. I had hoped to mess around with the Jetty structure and
insert a filter but I can't find a way in Jetty9 yet. Got close (I can
find the FusekiFilter) but changes aren't being see by the server and
the usual dispatch still occurs. Some code in Jetty is taking a copy of
structures.
FusekiServer.Builder does support adding servlet Filters to the server
added but they go after the Fuseki dispatcher so don't help.
A simple code change is use FusekiServer.Builder.addFilter and change
servletsAndFilters move to line 1008 [1] to 995 [2], just before the
FusekiFilter is created.
Andy
BTW Is there any reason not to have the CORS filter always present in
Fuseki main? e.g. Newer yasgui's loaded from unpkg.com require it.
[1]
https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-main/src/main/java/org/apache/jena/fuseki/main/FusekiServer.java#L1008
[2]
https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-main/src/main/java/org/apache/jena/fuseki/main/FusekiServer.java#L1008
>
> Any ideas?
>
> Thanks in advance!
>
> Barry
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
>