You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Steinar Bang <sb...@dod.no> on 2019/06/27 16:43:06 UTC
What should deprecated class WebIniSecurityManagerFactory be replaced with in OSGi?
In my Shiro-in-OSGi-configured-by-code solutions I ended up using
the deprecated WebIniSecurityManagerFactory, with some tricks to find
the shiro.ini file in the OSGi classpath:
https://github.com/steinarb/authservice/blob/master/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/AuthserviceShiroFilter.java#L73
https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/java/no/priv/bang/ukelonn/web/security/UkelonnShiroFilter.java#L69
https://github.com/steinarb/handlereg/blob/master/handlereg.web.security/src/main/java/no/priv/bang/handlereg/web/security/HandleregShiroFilter.java#L65
https://github.com/steinarb/authservice-sampleclient/blob/master/src/main/java/no/priv/bang/authservice/sampleclient/AuthserviceSampleClientShiroFilter.java#L73
The only thing the shiro.ini is used for is path to user/role/permission
mapping inside the webapps.
Configuration outside of path access, is a combination of configuration
by code in the activate methods of DS components, and OSGi service
injections into the same DS components (Realm and SessionDAO are
injected).
However, the class I use to start the configuration in the activate
metods, WebIniSecurityManagerFactory, is deprecated.
What should I use instead?
Thanks!
- Steinar
Re: What should deprecated class WebIniSecurityManagerFactory be replaced with in OSGi?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@public.gmane.org>:
> I'm also pondering the possibility of replacing the JDBC realm with LDAP
> without the webapps seeing any difference. That would be kind of cool:
> it would be possible to select a JDBC realm or an LDAP realm just by
> juggeling karaf features.
(A full shiro that could be composed by depending on various karaf
features would be supercool, and would be something I definitely would
use. I don't know if Francois is planning something like this...?)
Re: What should deprecated class WebIniSecurityManagerFactory be replaced with in OSGi?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Brian Demers <br...@public.gmane.org>:
> Possibly SHIRO-712 <https://issues.apache.org/jira/browse/SHIRO-712>, but
> I'd like to make sure we are capturing the use-case too.
> Your example seems like a bit of a highbred of DI and the INI. I'm
> guessing you want everything except the `[urls]` section outside of the INI
> file?
Yes. But, except for the Realm and SessionDAO, mostly because I had to.
All of the configuration by reflection failed in the OSGi class loader.
It may be that the stuff the karaf people are doing in shiro, will fix
the OSGi classloader issues...? I haven't tried doing config from the
INI, since shiro 1.3.1.
But Realm and SessionDAO I _do_ want to get from injection. This is how
I do cross-webapp login inside karaf.
I'm also pondering the possibility of replacing the JDBC realm with LDAP
without the webapps seeing any difference. That would be kind of cool:
it would be possible to select a JDBC realm or an LDAP realm just by
juggeling karaf features.
I do something similar today to choose between derby testdatabases and
PostgreSQL production databases.
I also juggle to select if a webapp should pull in authservice or if it
should expect authservice to be present before loading.
Re: What should deprecated class WebIniSecurityManagerFactory be
replaced with in OSGi?
Posted by Brian Demers <br...@gmail.com>.
Possibly SHIRO-712 <https://issues.apache.org/jira/browse/SHIRO-712>, but
I'd like to make sure we are capturing the use-case too.
Your example seems like a bit of a highbred of DI and the INI. I'm
guessing you want everything except the `[urls]` section outside of the INI
file?
On Fri, Jun 28, 2019 at 10:30 AM Steinar Bang <sb...@dod.no> wrote:
> >>>>> Steinar Bang <sb...@public.gmane.org>:
> >>>>> Steinar Bang <sb-1rLz5CwDoL8-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org
> >:
>
> >> I'm able to create a DefaultWebSecurityManager with new, but I
> >> couldn't figure out how to read in the shiro.ini configuration...?
>
> > Hm... perhaps this is what I should wait for...?
> > https://issues.apache.org/jira/browse/SHIRO-712
>
> > (But then again, if it reles on reflection it's possible I can't use
> > it...?)
>
> What I want it for, is the mapping from paths to
> users/roles/permissions.
>
> Perhaps that could be done using e.g. DS config...?
>
> What does the results of reading shiro.ini look like?
>
Re: What should deprecated class WebIniSecurityManagerFactory be replaced with in OSGi?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@public.gmane.org>:
>>>>> Steinar Bang <sb...@public.gmane.org>:
>> I'm able to create a DefaultWebSecurityManager with new, but I
>> couldn't figure out how to read in the shiro.ini configuration...?
> Hm... perhaps this is what I should wait for...?
> https://issues.apache.org/jira/browse/SHIRO-712
> (But then again, if it reles on reflection it's possible I can't use
> it...?)
What I want it for, is the mapping from paths to
users/roles/permissions.
Perhaps that could be done using e.g. DS config...?
What does the results of reading shiro.ini look like?
Re: What should deprecated class WebIniSecurityManagerFactory be replaced with in OSGi?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Steinar Bang <sb...@public.gmane.org>:
> I'm able to create a DefaultWebSecurityManager with new, but I couldn't
> figure out how to read in the shiro.ini configuration...?
Hm... perhaps this is what I should wait for...?
https://issues.apache.org/jira/browse/SHIRO-712
(But then again, if it reles on reflection it's possible I can't use
it...?)
Re: What should deprecated class WebIniSecurityManagerFactory be replaced with in OSGi?
Posted by Steinar Bang <sb...@dod.no>.
>>>>> Brian Demers <br...@public.gmane.org>:
> I'm guessing in your case you might want to do something similar to what we
> do for Guice (create a WebEnvironment implementation)
> https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/WebGuiceEnvironment.java
> For the SecurityManager, you should just be able to create a new instance
> and use/inject that.
Thanks, Brian! :-)
I'm able to create a DefaultWebSecurityManager with new, but I couldn't
figure out how to read in the shiro.ini configuration...?
Re: What should deprecated class WebIniSecurityManagerFactory be
replaced with in OSGi?
Posted by Brian Demers <br...@gmail.com>.
We should have added the javadoc tag leaving instructions on what to do.
I'm guessing in your case you might want to do something similar to what we
do for Guice (create a WebEnvironment implementation)
https://github.com/apache/shiro/blob/master/support/guice/src/main/java/org/apache/shiro/guice/web/WebGuiceEnvironment.java
For the SecurityManager, you should just be able to create a new instance
and use/inject that.
Let me know how it goes!
-Brian
On Thu, Jun 27, 2019 at 12:43 PM Steinar Bang <sb...@dod.no> wrote:
> In my Shiro-in-OSGi-configured-by-code solutions I ended up using
> the deprecated WebIniSecurityManagerFactory, with some tricks to find
> the shiro.ini file in the OSGi classpath:
>
> https://github.com/steinarb/authservice/blob/master/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/AuthserviceShiroFilter.java#L73
>
> https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/java/no/priv/bang/ukelonn/web/security/UkelonnShiroFilter.java#L69
>
> https://github.com/steinarb/handlereg/blob/master/handlereg.web.security/src/main/java/no/priv/bang/handlereg/web/security/HandleregShiroFilter.java#L65
>
> https://github.com/steinarb/authservice-sampleclient/blob/master/src/main/java/no/priv/bang/authservice/sampleclient/AuthserviceSampleClientShiroFilter.java#L73
>
> The only thing the shiro.ini is used for is path to user/role/permission
> mapping inside the webapps.
>
> Configuration outside of path access, is a combination of configuration
> by code in the activate methods of DS components, and OSGi service
> injections into the same DS components (Realm and SessionDAO are
> injected).
>
> However, the class I use to start the configuration in the activate
> metods, WebIniSecurityManagerFactory, is deprecated.
>
> What should I use instead?
>
>
> Thanks!
>
>
> - Steinar
>