You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Dan Haywood <da...@haywood-associates.co.uk> on 2013/07/25 09:03:57 UTC
Re: Restful authentication
cc'ing this to users@i.o. ... a query on how to remove authentication in RO.
see thread below
~~~
Maurizio,
Do you have the wicket viewer installed in the web.xml? Because if not,
then the IsisSystem needs to be setup using
the org.apache.isis.core.webapp.IsisWebAppBootstrapper listener.
The example web.xml for the todo example app has this commented out.
I got things working with the todo app ok, (without removing the wicket
viewer) by:
a) changing the web.xml as decribed
b) changing the isis.authorization key to "bypass" (otherwise no members
were available).
~~~
To explain in more detail (apols if you've figured what follows out
already): there are three scopes for Isis:
- global application
- session
- transaction
The global application scope is set up either by the Wicket viewer
(IsisWicketApplication#init) or alternatively by IsisWebAppBootstrapper.
This sets up IsisContext as a threadlocal, from whence the
AuthenticationManager, the SpecificationLoader and a few other shared
components live.
The session scope is set up for each interaction... cf a Hibernate Session
/ JDO PersistenceManager. This relies upon the outer global app scope.
How this is done also depends on the viewer; the wicket viewer does it a
Wicket callback (WebRequestCycleForIsis), while the RO viewer does it in
IsisSessionFilter.
The transaction scope runs within each session. Wicket has a single
transaction, again in WebRequestCycleForIsis. The RO viewer
(currently)relies on the "just-in-time" transaction wrapping done in the
object store [probably ought to change that].
Let me know how you get on.
Dan
On 25 July 2013 00:23, Maurizio Taverna <ta...@gmail.com> wrote:
> Dan,
> I'm doing something wrong.
> LOG
> INFO: javax.servlet.ServletContext log: Initializing Shiro environment
> INFO - EnvironmentLoader - Starting Shiro environment
> initialization.
> INFO - IniSecurityManagerFactory - Realms have been explicitly set on
> the SecurityManager instance - auto-setting of realms will not occur.
> INFO - EnvironmentLoader - Shiro environment initialized in 1254
> ms.
> INFO - ResteasyDeployment - Deploying
> javax.ws.rs.core.Application: class
> org.apache.isis.viewer.restfulobjects.server.RestfulObjectsApplication
> Jul 24, 2013 11:18:24 PM com.google.apphosting.utils.jetty.JettyLogger info
> INFO: Started SelectChannelConnector@127.0.0.1:8080
> Jul 24, 2013 11:18:24 PM
> com.google.appengine.tools.development.AbstractServer startup
> INFO: Server default is running at http://localhost:8080/
> Jul 24, 2013 11:18:24 PM
> com.google.appengine.tools.development.AbstractServer startup
> INFO: The admin console is running at http://localhost:8080/_ah/admin
> Jul 25, 2013 1:18:24 AM
> com.google.appengine.tools.development.DevAppServerImpl start
> INFO: Dev App Server is now running
>
>
> http://127:0,0,1:8080/restful/
>
> java.lang.NullPointerException
> at org.apache.isis.core.runtime.system.context.IsisContext.getSessionFactory(IsisContext.java:323)
> at org.apache.isis.core.runtime.system.context.IsisContext.getAuthenticationManager(IsisContext.java:366)
> at org.apache.isis.core.webapp.auth.AuthenticationSessionStrategyDefault.getAuthenticationManager(AuthenticationSessionStrategyDefault.java:110)
> at org.apache.isis.core.webapp.auth.AuthenticationSessionStrategyDefault.lookupValid(AuthenticationSessionStrategyDefault.java:61)
> at org.apache.isis.viewer.restfulobjects.server.authentication.AuthenticationSessionStrategyTrusted.lookupValid(AuthenticationSessionStrategyTrusted.java:33)
> at org.apache.isis.core.webapp.IsisSessionFilter$SessionState$1.handle(IsisSessionFilter.java:308)
> at org.apache.isis.core.webapp.IsisSessionFilter.doFilter(IsisSessionFilter.java:404)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
> at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.appengine.api.socket.dev.DevSocketFilter.doFilter(DevSocketFilter.java:74)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.appengine.tools.development.ResponseRewriterFilter.doFilter(ResponseRewriterFilter.java:123)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.appengine.tools.development.HeaderVerificationFilter.doFilter(HeaderVerificationFilter.java:34)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.appengine.api.blobstore.dev.ServeBlobFilter.doFilter(ServeBlobFilter.java:63)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.appengine.tools.development.StaticFileFilter.doFilter(StaticFileFilter.java:125)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at com.google.appengine.tools.development.DevAppServerServersFilter.doDirectRequest(DevAppServerServersFilter.java:369)
> at com.google.appengine.tools.development.DevAppServerServersFilter.doDirectServerRequest(DevAppServerServersFilter.java:352)
> at com.google.appengine.tools.development.DevAppServerServersFilter.doFilter(DevAppServerServersFilter.java:115)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
> at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
> at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
> at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
> at com.google.appengine.tools.development.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:97)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at com.google.appengine.tools.development.JettyContainerService$ApiProxyHandler.handle(JettyContainerService.java:438)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> at org.mortbay.jetty.Server.handle(Server.java:326)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
> at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:547)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
> at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
> at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
>
> web.xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
> version="2.5">
>
> <welcome-file-list>
> <welcome-file>index.jsp</welcome-file>
> </welcome-file-list>
>
> <!-- shiro security configuration -->
> <listener>
>
> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
> </listener>
>
> <filter>
> <filter-name>ShiroFilter</filter-name>
>
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
>
> <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
> </listener>
>
> <!-- used by RestEasy to determine the JAX-RS resources and other
> related configuration -->
> <context-param>
> <param-name>javax.ws.rs.Application</param-name>
>
> <param-value>org.apache.isis.viewer.restfulobjects.server.RestfulObjectsApplication</param-value>
> </context-param>
>
> <context-param>
> <param-name>resteasy.servlet.mapping.prefix</param-name>
> <param-value>/restful/</param-value>
> </context-param>
>
>
> <filter>
> <filter-name>IsisSessionFilterForRestfulObjects</filter-name>
>
> <filter-class>org.apache.isis.core.webapp.IsisSessionFilter</filter-class>
> <init-param>
> <param-name>authenticationSessionStrategy</param-name>
>
> <param-value>org.apache.isis.viewer.restfulobjects.server.authentication.*
> AuthenticationSessionStrategyTrusted*</param-value>
>
> </init-param>
>
> <init-param>
> <!-- what to do if no session was found; we indicate to issue
> a 401 basic authentication challenge -->
> <param-name>whenNoSession</param-name>
> <param-value>*continue*</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <!-- this is mapped to the entire app; however the
> IsisSessionFilter will "notice" if the session filter has already been
> executed for the request pipeline, and if so will do nothing
> -->
> <filter-name>IsisSessionFilterForRestfulObjects</filter-name>
> <servlet-name>RestfulObjectsRestEasyDispatcher</servlet-name>
> </filter-mapping>
>
> <servlet>
> <servlet-name>RestfulObjectsRestEasyDispatcher</servlet-name>
>
> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>RestfulObjectsRestEasyDispatcher</servlet-name>
> <url-pattern>/restful/*</url-pattern>
> </servlet-mapping>
>
> </web-app>
>
> Maurizio
>
>
>
>
>
>
> 2013/7/25 Dan Haywood <da...@haywood-associates.co.uk>
>
>> in web.xml, there will be something like:
>>
>> <!-- authenticate user, set up an Isis session -->
>> <filter>
>> <filter-name>IsisSessionFilterForRestfulObjects</filter-name>
>>
>> <filter-class>org.apache.isis.core.webapp.IsisSessionFilter</filter-class>
>> <!-- authentication required for REST -->
>> <init-param>
>> <param-name>authenticationSessionStrategy</param-name>
>>
>> <param-value>org.apache.isis.viewer.restfulobjects.server.authentication.AuthenticationSessionStrategyBasicAuth</param-value>
>> </init-param>
>> <init-param>
>> <!-- what to do if no session was found; we indicate to issue
>> a 401 basic authentication challenge -->
>> <param-name>whenNoSession</param-name>
>> <param-value>basicAuthChallenge</param-value>
>> </init-param>
>> </filter>
>>
>> so change to some other authenticationSessionStrategy,
>> eg AuthenticationSessionStrategyTrusted.
>>
>> Cheers
>> Dan
>>
>>
>>
>>
>>
>> On 24 July 2013 23:52, Maurizio Taverna <ta...@gmail.com>wrote:
>>
>>> Hi Dan,
>>> I have a question, how can I remove the authentication from the RESTFul
>>> viewer?
>>>
>>> Cheers
>>> Maurizio
>>>
>>
>>
>