You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Bruce Phillips <bp...@ku.edu> on 2011/01/09 03:56:32 UTC

Upgraded From JSecurity 0.9 To Shiro 1.1.0 - Permissions No Longer Work

I'm updating a series of Shiro tutorials I wrote in April 2009, when Shiro
was knows as JSecurity and was in version 0.9.  These tutorial are linked to
from the Shiro website (http://shiro.apache.org/articles.html).

The first four tutorials updated just fine.  However, my last tutorial on
how to use permissions in Shiro has a problem.  After upgrading to Shiro
1.1.0 - permissions no longer work.  Everything else is working - user
authentication and role checking.

I reviewed the documentation and API for 1.1.0 and it looks like permissions
should work the same as they did in JSecurity 0.9.

The updated article with download is here:

http://www.brucephillips.name/blog/index.cfm/2009/5/1/An-Introduction-to-Ki-formerly-JSecurity--A-Beginners-Tutorial-Part-5

Both the roles admin and staff have permission of secure in the
roles_permissions table.  But when logging in with users (jack@hotmail.com
or bruce@hotmail.com) who have those roles, the
subject.isPermitted("secure") statement returns false.

Any help would be appreciated so that I can this last tutorial working
correctly with Shiro 1.1.0.

Bruce Phillips

-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Upgraded-From-JSecurity-0-9-To-Shiro-1-1-0-Permissions-No-Longer-Work-tp5903710p5903710.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Upgraded From JSecurity 0.9 To Shiro 1.1.0 - Permissions No Longer Work

Posted by Jared Bunting <ja...@digitalreasoning.com>.

Yeah...by documentation I meant the javadocs for the
setPermissionsLookupEnabled method in the JdbcRealm class. At the very least
I felt like there should be a mention of this setting in the class-level
javadoc - I'm still not sure why this is off by default when I got every
indication from the rest of the documentation that permissions are the
preferred mechanism.

Thanks,
Jared


On 1/9/11 6:18 AM, "Bruce Phillips" <bp...@ku.edu> wrote:

> 
> Jared - Thank you very much for the reply.  I added
> realmA.permissionsLookupEnabled=true to the [main] section of the
> IniShiroFilter configuration and now permissions work in my example web
> application.
> 
> Where in the documentation did you find the information about setting
> permissionsLookupEnabled to true?  I did read through the documentation
> before posting and didn't see any references to setting
> permissionsLookupEnabled to true to enable permissions.
> 
> I'm going to submit a Jira request to update the permissions part of the
> document (http://shiro.apache.org/permissions.html) with this information.
> 
> After reading your reply I dug into the API much deeper and in the source
> code for JdbcRealm class is this:
> 
>  /**
> 157         * Enables lookup of permissions during authorization.  The
> default is "false" - meaning that only roles
> 158         * are associated with a user.  Set this to true in order to
> lookup roles and permissions.
> 159         *
> 160         * @param permissionsLookupEnabled true if permissions should be
> looked up during authorization, or false if only
> 161         *                                 roles should be looked up.
> 162         */
> 163        public void setPermissionsLookupEnabled(boolean
> permissionsLookupEnabled) {
> 164            this.permissionsLookupEnabled = permissionsLookupEnabled;
> 165        }
> 
> So as you mention in your reply besides setting the value of
> permissionsLookupEnabled in the configuration section of IniShiroFilter in
> web.xml you can call setPermissionsLookupEnabled(true) in the JdbcRealm
> class.
> 
> Thanks again for your reply.
> 
> Bruce
> 
> Bruce

Re: Upgraded From JSecurity 0.9 To Shiro 1.1.0 - Permissions No Longer Work

Posted by Bruce Phillips <bp...@ku.edu>.

Jared - Thank you very much for the reply.  I added
realmA.permissionsLookupEnabled=true to the [main] section of the
IniShiroFilter configuration and now permissions work in my example web
application.

Where in the documentation did you find the information about setting
permissionsLookupEnabled to true?  I did read through the documentation
before posting and didn't see any references to setting
permissionsLookupEnabled to true to enable permissions.  

I'm going to submit a Jira request to update the permissions part of the
document (http://shiro.apache.org/permissions.html) with this information.  

After reading your reply I dug into the API much deeper and in the source
code for JdbcRealm class is this:

 /**
157         * Enables lookup of permissions during authorization.  The
default is "false" - meaning that only roles
158         * are associated with a user.  Set this to true in order to
lookup roles and permissions.
159         *
160         * @param permissionsLookupEnabled true if permissions should be
looked up during authorization, or false if only
161         *                                 roles should be looked up.
162         */
163        public void setPermissionsLookupEnabled(boolean
permissionsLookupEnabled) {
164            this.permissionsLookupEnabled = permissionsLookupEnabled;
165        }

So as you mention in your reply besides setting the value of
permissionsLookupEnabled in the configuration section of IniShiroFilter in
web.xml you can call setPermissionsLookupEnabled(true) in the JdbcRealm
class.

Thanks again for your reply.

Bruce

Bruce

-- 
View this message in context: http://shiro-user.582556.n2.nabble.com/Upgraded-From-JSecurity-0-9-To-Shiro-1-1-0-Permissions-No-Longer-Work-tp5903710p5904264.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Upgraded From JSecurity 0.9 To Shiro 1.1.0 - Permissions No Longer Work

Posted by Jared Bunting <ja...@digitalreasoning.com>.

>From a quick run through, it appears that you've not set
"permissionsLookupEnabled" in the JdbcRealm.  I'm not entirely sure why
that's disabled by default, but according to the docs, it is (also,
according to the code).  You can either set the value directly in the
constructor of RoleSecurityJdbcRealm or, I think in the [main] section of
your shiro config you can add "realmA.permissionsLookupEnabled=true".

With that change I am able to access the "secure" section of the site when
logged in as bruce.

Thanks,
Jared


On 1/8/11 8:56 PM, "Bruce Phillips" <bp...@ku.edu> wrote:

> 
> I'm updating a series of Shiro tutorials I wrote in April 2009, when Shiro
> was knows as JSecurity and was in version 0.9.  These tutorial are linked to
> from the Shiro website (http://shiro.apache.org/articles.html).
> 
> The first four tutorials updated just fine.  However, my last tutorial on
> how to use permissions in Shiro has a problem.  After upgrading to Shiro
> 1.1.0 - permissions no longer work.  Everything else is working - user
> authentication and role checking.
> 
> I reviewed the documentation and API for 1.1.0 and it looks like permissions
> should work the same as they did in JSecurity 0.9.
> 
> The updated article with download is here:
> 
> http://www.brucephillips.name/blog/index.cfm/2009/5/1/An-Introduction-to-Ki-fo
> rmerly-JSecurity--A-Beginners-Tutorial-Part-5
> 
> Both the roles admin and staff have permission of secure in the
> roles_permissions table.  But when logging in with users (jack@hotmail.com
> or bruce@hotmail.com) who have those roles, the
> subject.isPermitted("secure") statement returns false.
> 
> Any help would be appreciated so that I can this last tutorial working
> correctly with Shiro 1.1.0.
> 
> Bruce Phillips