You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by jagregory <ja...@jagregory.com> on 2011/07/14 01:13:02 UTC

Custom WebSecurityManager not being used by SecurityUtils

Hello everyone,

This is probably going to be a long shot without me providing a working
example. I'm hoping someone will point out something obvious. Otherwise,
I'll try to put together a working example.

I've been trying to get Authorization working (roles, specifically) using
annotations, with minimal success. My setup is a web app (Jersey via Jetty)
using Guice. My configuration of Shiro follows the same idea as the Guice
examples out there (like this one
http://stackoverflow.com/questions/5887603/configuring-apache-shiro-with-google-guice-servlet).
Everything is configured purely though code, no Ini. I have a
GuiceShiroFilter (below) which filters all requests.

@Singleton
public class GuiceShiroFilter extends AbstractShiroFilter {
    @Inject
    public GuiceShiroFilter(WebSecurityManager securityManager,
FilterChainResolver filterChainResolver) {
        setSecurityManager(securityManager);
        setFilterChainResolver(filterChainResolver);
    }
}

And in my Guice configuration, I create a custom WebSecurityManager, like
so:

@Provides @Singleton
    public WebSecurityManager provideWebSecurityManager(Realm realm) {
        return new MyAppWebSecurityManager(realm);
    }
}

This hooks up my custom realm with the web security manager.

What I'm seeing is when the user requests a url which is annotated with
@RequiresRoles("admin"), I get the following exception:

Configuration error:  No realms have been configured!  One or more realms
must be present to execute an authorization operation.

After a lot of poking around, I can see that
SecurityUtils.getSecurityManager() (and indirectly,
SecurityUtils.getSubject()) don't have a reference to my custom
WebSecurityManager. In fact, they have a DefaultWebSecurityManager instance.
So, of course, they don't have a reference to my custom realm.

I tried calling SecurityUtils.setSecurityManager in my
provideWebSecurityManager method, which correctly sets the security manager
in SecurityUtils for that request, but as soon as another request comes in
the security manager is back to a DefaultWebSecurityManager again.

Help? This has got me stumped. It seems the SecurityManager instance is
getting lost somewhere after the first request.

Any advice would be greatly appreciated.

Thanks,
James

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6581200.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Custom WebSecurityManager not being used by SecurityUtils

Posted by jagregory <ja...@jagregory.com>.

Thanks for the reply Les, that does sound good. Regardless though, I still
shouldn't have had two Shiro filters (especially when the second had nothing
to do with Shiro!).

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6586338.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Custom WebSecurityManager not being used by SecurityUtils

Posted by Les Hazlewood <lh...@apache.org>.

Hi James,

I believe your concerns will be entirely alleviated with Shiro 1.2.
In Shiro 1.2, you initialize Shiro via a ServletContextListener:

http://shiro.apache.org/web.html#Web-configuration

This will initialize the Shiro environment (e.g. the SecurityManager
and a FilterChainResolver to represent filter chains) at application
startup before any Filters are initialized.

Then, you can define any number of servlet Filters because they will
only acquire what was created at startup by the
ServletContextListener.  I.e. you won't have multiple ShiroFilters
trying to start up separate Shiro environments.

However, it is still the most common approach to have only one
ShiroFilter for an application and let that filter all requests.

HTH!

Cheers,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Thu, Jul 14, 2011 at 2:01 PM, jagregory <ja...@jagregory.com> wrote:
> That was it. So the problem was: I had another Filter which was executing
> after my Shiro security filter, which also inherited from
> AbstractShiroFilter. The second filter seemed to overwrite anything the
> first filter did in terms of SecurityManagers.
>
> Moral of the story: Only have one AbstractShiroFilter implementation.
>
> I don't believe this was deliberate, probably just a copy & paste error.
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6584876.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Custom WebSecurityManager not being used by SecurityUtils

Posted by jagregory <ja...@jagregory.com>.

That was it. So the problem was: I had another Filter which was executing
after my Shiro security filter, which also inherited from
AbstractShiroFilter. The second filter seemed to overwrite anything the
first filter did in terms of SecurityManagers.

Moral of the story: Only have one AbstractShiroFilter implementation.

I don't believe this was deliberate, probably just a copy & paste error.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6584876.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Custom WebSecurityManager not being used by SecurityUtils

Posted by jagregory <ja...@jagregory.com>.

Me again.

I think I've got it, but need to test on my production app. I have multiple
servlet filters, one of which is my SecurityFilter which deals with Shiro.
After my SecurityFilter I have an HibernateFilter, but I've noticed this
also inherits from AbstractShiroFilter rather than just implementing Filter
itself. I believe the two ShiroFilter's are in conflict, and the
HibernateFilter is somehow overwriting the SecurityManager created by the
first filter.

I'll confirm this later by changing the HibernateFilter, and let you know if
that was the issue.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6582980.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Custom WebSecurityManager not being used by SecurityUtils

Posted by jagregory <ja...@jagregory.com>.

Ok, update time.

I've tried to create a cut down version of my setup to reproduce the bug.
Fortunately, or unfortunately, I haven't been able to reproduce it! I've got
a bare-bones app that on the surface looks very similar to my setup, but it
all works fine; so there has got to be a configuration nuance in my actual
app that I haven't carried across into my demo.

I'll do some more digging, and I'll post here when I find out what the
problem is.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Custom-WebSecurityManager-not-being-used-by-SecurityUtils-tp6581200p6582504.html
Sent from the Shiro User mailing list archive at Nabble.com.