You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by P82 <st...@mail.ru> on 2014/05/27 19:07:49 UTC
Shiro "session" for EJB.
>From this post
<http://grails.1312388.n4.nabble.com/Binding-Security-Manager-to-the-thread-context-and-Shiro-tp3217915p3218140.html>
:
Typically a subject is automatically created, bound and unbound for a
thread by the ShiroFilter when servicing a web request. If your logic
is NOT triggered by a web request (e.g. via a startup or daemon
thread, or different thread (e.g. ExecutorService or thread pool)),
then you'll need to do the create/bind/unbind logic yourself. See the
Subject page for more information.
So it means, as I understand that if we connect to EJB we must do the
create/bind/unbind logic ourselves. As I understand we must send to server
sessionId and use the following code:
/Subject subject = new
Subject.Builder().sessionId(sessionId).buildSubject();/
However, testing my remote EJB from standalone client and calling testMe
method several times I see that it keeps id and user is isAuthenticated.
/public void testMe(){
Subject currentUser = SecurityUtils.getSubject();
if ( !currentUser.isAuthenticated() ) {
UsernamePasswordToken token = new
UsernamePasswordToken("lonestarr", "vespa");
System.out.println("#0:"+currentUser.getSession().getId());
currentUser.login(token);
}else{
currentUser.logout();
System.out.println("I logged out");
}
System.out.println("#1:"+currentUser.getSession().getId());
}
/
When I call it first time from my client I have:
#0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
#1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
When I call it second time from client I have:
I logged out
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
#0:2edcab36-cb97-4722-b91b-82ec225deb78
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
I logged out
#1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
So my question - should I send sessionId to server from client or shiro uses
some mechanism to keep sessionId between client and server?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
Yes we appreciate you and thankful for your help. You can say it to your wife
:)
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580013.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
I'm glad someone besides my wife appreciates me.
Thank you!
On May 27, 2014, at 4:41 PM, Tomas Lund Petersen wrote:
> Lenny you are too kind.
> After allá your kind replies you deserve a better thank you thank that.
> Well done and thanks.
>
> El may 27, 2014 4:25 PM, "Lenny Primak" <lp...@hope.nyc.ny.us> escribió:
> As I said in my first post, this is not trivial
>
> On May 27, 2014, at 3:29 PM, P82 wrote:
>
> > I think you are right here. The last question - why did it take us so long to
> > make it clear?
> >
> >
> >
> > --
> > View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580007.html
> > Sent from the Shiro User mailing list archive at Nabble.com.
> >
>
Re: Shiro "session" for EJB.
Posted by Tomas Lund Petersen <ko...@gmail.com>.
Lenny you are too kind.
After allá your kind replies you deserve a better thank you thank that.
Well done and thanks.
El may 27, 2014 4:25 PM, "Lenny Primak" <lp...@hope.nyc.ny.us> escribió:
> As I said in my first post, this is not trivial
>
> On May 27, 2014, at 3:29 PM, P82 wrote:
>
> > I think you are right here. The last question - why did it take us so
> long to
> > make it clear?
> >
> >
> >
> > --
> > View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580007.html
> > Sent from the Shiro User mailing list archive at Nabble.com.
> >
>
>
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
As I said in my first post, this is not trivial
On May 27, 2014, at 3:29 PM, P82 wrote:
> I think you are right here. The last question - why did it take us so long to
> make it clear?
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580007.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
I think you are right here. The last question - why did it take us so long to
make it clear?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580007.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
This is probably due to you hitting the same thread of the EJB bean pool, sometimes.
Your results are purely random because of this.
@Stateless EJBs are run out of a thread pool.
Shiro's sessions are per-thread, so you are getting these results by coincidence.
On May 27, 2014, at 3:14 PM, P82 wrote:
> No, the result that I have written shows that session is kept. When I call
> ejb.testMe() from client you can see that every second time it outputs "I
> logged out". If you don't believe me you can try yourself. AND THIS IS THE
> ISSUE I DON'T UNDERSTAND AND ALL THIS THREAD IS ABOUT IT.
>
> *Duplicate:*
> When I call it first time from my client I have:
> #0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> #1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> When I call it second time from client I have:
> I logged out
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> #0:2edcab36-cb97-4722-b91b-82ec225deb78
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> I logged out
> #1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
>
> The only thing I found in docs is
> "If deploying inside a web application, by default the Session will be
> HttpSession based. But, in a non-web environment, like this simple
> Quickstart, Shiro will automatically use its Enterprise Session Management
> by default. This means you get to use the same API in your applications, in
> any tier, regardless of deployment environment. This opens a whole new world
> of applications since any application requiring sessions does not need to be
> forced to use the HttpSession or EJB Stateful Session Beans. And, any client
> technology can now share session data." - Maybe they have implemented some
> internal mechanism... A*nd this is what I'm trying to find out.*
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580005.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
No, the result that I have written shows that session is kept. When I call
ejb.testMe() from client you can see that every second time it outputs "I
logged out". If you don't believe me you can try yourself. AND THIS IS THE
ISSUE I DON'T UNDERSTAND AND ALL THIS THREAD IS ABOUT IT.
*Duplicate:*
When I call it first time from my client I have:
#0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
#1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
When I call it second time from client I have:
I logged out
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
#0:2edcab36-cb97-4722-b91b-82ec225deb78
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
I logged out
#1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
The only thing I found in docs is
"If deploying inside a web application, by default the Session will be
HttpSession based. But, in a non-web environment, like this simple
Quickstart, Shiro will automatically use its Enterprise Session Management
by default. This means you get to use the same API in your applications, in
any tier, regardless of deployment environment. This opens a whole new world
of applications since any application requiring sessions does not need to be
forced to use the HttpSession or EJB Stateful Session Beans. And, any client
technology can now share session data." - Maybe they have implemented some
internal mechanism... A*nd this is what I'm trying to find out.*
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580005.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Yes, it's a bean, but this doesn't really exercise holding session between requests.
If you do authentication on each remote request, of course it will work.
They key is to login in once and then use the session on subsequent requests
and hold that authentication session for an extended period of time.
On May 27, 2014, at 3:02 PM, P82 wrote:
> So one more time. I have JavaEE server (GF4) 192.168.1.2 and I have OSGI
> client 192.168.1.3. On server side I have the BEAN:
>
> import javax.annotation.Resource;
> import javax.ejb.Remote;
> import javax.ejb.SessionContext;
> import javax.ejb.Stateless;
> import org.apache.shiro.subject.Subject;
> import org.apache.shiro.SecurityUtils;
> import org.apache.shiro.SecurityUtils;
> import org.apache.shiro.authc.*;
> import org.apache.shiro.config.IniSecurityManagerFactory;
> import org.apache.shiro.mgt.SecurityManager;
> import org.apache.shiro.session.Session;
> import org.apache.shiro.subject.Subject;
> import org.apache.shiro.util.Factory;
>
> @Stateless (name="OrganizationDirBean" ,
> mappedName="ejb/OrganizationDirBean")
> @Remote
>
> public class OrganizationDirBean implements Directory{
> @Resource SessionContext ctx;
> @Override
> public void testMe(){
> Subject currentUser = SecurityUtils.getSubject();
> if ( !currentUser.isAuthenticated() ) {
> UsernamePasswordToken token = new
> UsernamePasswordToken("lonestarr", "vespa");
> System.out.println("#0:"+currentUser.getSession().getId());
> currentUser.login(token);
> }else{
> currentUser.logout();
> System.out.println("I logged out");
> }
> System.out.println("#1:"+currentUser.getSession().getId());
> }
> }
>
> On client side:
> InitialContext ctx = new InitialContext(someEnv);
> Directory directory = (Directory) ctx.lookup("ejb/OrganizationDirBean");
> directory.testMe();
>
> Do you still think that it's not EJB???
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580003.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
So one more time. I have JavaEE server (GF4) 192.168.1.2 and I have OSGI
client 192.168.1.3. On server side I have the BEAN:
import javax.annotation.Resource;
import javax.ejb.Remote;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
@Stateless (name="OrganizationDirBean" ,
mappedName="ejb/OrganizationDirBean")
@Remote
public class OrganizationDirBean implements Directory{
@Resource SessionContext ctx;
@Override
public void testMe(){
Subject currentUser = SecurityUtils.getSubject();
if ( !currentUser.isAuthenticated() ) {
UsernamePasswordToken token = new
UsernamePasswordToken("lonestarr", "vespa");
System.out.println("#0:"+currentUser.getSession().getId());
currentUser.login(token);
}else{
currentUser.logout();
System.out.println("I logged out");
}
System.out.println("#1:"+currentUser.getSession().getId());
}
}
On client side:
InitialContext ctx = new InitialContext(someEnv);
Directory directory = (Directory) ctx.lookup("ejb/OrganizationDirBean");
directory.testMe();
Do you still think that it's not EJB???
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580003.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
I bet it's a local client, not a remote client. Shiro has no way of transferring context to a remote client/server
without help.
On May 27, 2014, at 2:49 PM, P82 wrote:
> I don't understand you. The code that I showed belogns to EJB. And at client
> side I do ejb.testMe();
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580001.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
I don't understand you. The code that I showed belogns to EJB. And at client
side I do ejb.testMe();
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7580001.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Because, in your code, you are not calling client/server or remote EJBs.
Once you start doing that, you are no longer in thread context,
and thus Shiro's subject will no longer automatically be with your EJB
On May 27, 2014, at 1:35 PM, P82 wrote:
> lprimak, I appreciate your help but I can't understand why you don't
> understand me. If it's not done automatically why then I get such results
> running my ejb. Can you answer or give me a link where I can find the
> answer.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7579999.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
lprimak, I appreciate your help but I can't understand why you don't
understand me. If it's not done automatically why then I get such results
running my ejb. Can you answer or give me a link where I can find the
answer.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7579999.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
This is not automatically done by Shiro.
There is a "nice" interceptor way of doing it, which should look like it's automatic.
On May 27, 2014, at 1:27 PM, P82 wrote:
> I understand it. The question is should I do it manually or it's done
> automatically by shiro.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7579996.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by P82 <st...@mail.ru>.
I understand it. The question is should I do it manually or it's done
automatically by shiro.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994p7579996.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro "session" for EJB.
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Client needs to get / keep sessionId,
Server needs to buildSubject() with the sessionID and propagate tit throughout the EJB context
On May 27, 2014, at 1:07 PM, P82 wrote:
>> From this post
> <http://grails.1312388.n4.nabble.com/Binding-Security-Manager-to-the-thread-context-and-Shiro-tp3217915p3218140.html>
> :
> Typically a subject is automatically created, bound and unbound for a
> thread by the ShiroFilter when servicing a web request. If your logic
> is NOT triggered by a web request (e.g. via a startup or daemon
> thread, or different thread (e.g. ExecutorService or thread pool)),
> then you'll need to do the create/bind/unbind logic yourself. See the
> Subject page for more information.
>
> So it means, as I understand that if we connect to EJB we must do the
> create/bind/unbind logic ourselves. As I understand we must send to server
> sessionId and use the following code:
>
> /Subject subject = new
> Subject.Builder().sessionId(sessionId).buildSubject();/
>
> However, testing my remote EJB from standalone client and calling testMe
> method several times I see that it keeps id and user is isAuthenticated.
> /public void testMe(){
> Subject currentUser = SecurityUtils.getSubject();
> if ( !currentUser.isAuthenticated() ) {
> UsernamePasswordToken token = new
> UsernamePasswordToken("lonestarr", "vespa");
> System.out.println("#0:"+currentUser.getSession().getId());
> currentUser.login(token);
> }else{
> currentUser.logout();
> System.out.println("I logged out");
> }
> System.out.println("#1:"+currentUser.getSession().getId());
> }
> /
>
> When I call it first time from my client I have:
> #0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> #1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> When I call it second time from client I have:
> I logged out
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> #0:2edcab36-cb97-4722-b91b-82ec225deb78
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> I logged out
> #1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
>
> So my question - should I send sessionId to server from client or shiro uses
> some mechanism to keep sessionId between client and server?
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro "session" for EJB.
Posted by Tomas Lund Petersen <ko...@gmail.com>.
I Run into the same problem. You have to create and mantain your
securityManager. Otherwise you will loose all your sessions each time it is
instantiated. This is because we are not using the webFilter. Soap calls
arent mannaged by the webFilter.
I replaced the webfilter with a SoapHandler and start the securitymanager
only in the first call.
Check the past threads for a description.
Good luck.
El may 27, 2014 1:08 PM, "P82" <st...@mail.ru> escribió:
> From this post
> <
> http://grails.1312388.n4.nabble.com/Binding-Security-Manager-to-the-thread-context-and-Shiro-tp3217915p3218140.html
> >
> :
> Typically a subject is automatically created, bound and unbound for a
> thread by the ShiroFilter when servicing a web request. If your logic
> is NOT triggered by a web request (e.g. via a startup or daemon
> thread, or different thread (e.g. ExecutorService or thread pool)),
> then you'll need to do the create/bind/unbind logic yourself. See the
> Subject page for more information.
>
> So it means, as I understand that if we connect to EJB we must do the
> create/bind/unbind logic ourselves. As I understand we must send to server
> sessionId and use the following code:
>
> /Subject subject = new
> Subject.Builder().sessionId(sessionId).buildSubject();/
>
> However, testing my remote EJB from standalone client and calling testMe
> method several times I see that it keeps id and user is isAuthenticated.
> /public void testMe(){
> Subject currentUser = SecurityUtils.getSubject();
> if ( !currentUser.isAuthenticated() ) {
> UsernamePasswordToken token = new
> UsernamePasswordToken("lonestarr", "vespa");
> System.out.println("#0:"+currentUser.getSession().getId());
> currentUser.login(token);
> }else{
> currentUser.logout();
> System.out.println("I logged out");
> }
> System.out.println("#1:"+currentUser.getSession().getId());
> }
> /
>
> When I call it first time from my client I have:
> #0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> #1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> When I call it second time from client I have:
> I logged out
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> #0:2edcab36-cb97-4722-b91b-82ec225deb78
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> I logged out
> #1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
>
> So my question - should I send sessionId to server from client or shiro
> uses
> some mechanism to keep sessionId between client and server?
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>