You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Isak W (Jira)" <ji...@apache.org> on 2019/12/23 01:28:00 UTC
[jira] [Comment Edited] (SHIRO-627) something wrong with
shiro-spring-boot-web-starter,it did not auto register securityManager???
[ https://issues.apache.org/jira/browse/SHIRO-627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17002036#comment-17002036 ]
Isak W edited comment on SHIRO-627 at 12/23/19 1:27 AM:
--------------------------------------------------------
The problem comes from having one or more Realms registered that also qualifies as Authorizer's (usually due to extending AuthorizingRealm). This causes the default Authorizer (ShiroWebAutoConfiguration#authorizer) not to be created due to there already being an Authorizer registered (@ConditionalOnMissingBean will only match the type if nothing else is specified). When the default SecurityManager bean is created (ShiroWebAutoConfiguration#securityManager) it expects a bean of type Authorizer and name "authorizer", but the Realm, that also override the Authorizer, most likely isn't qualified with that name, hence the error: "No bean named 'authorizer' available".
The issue is easy to reproduce, in ShiroWebAutoConfigurationTestApplication#getTextConfigurationRealm, change the return type from Realm to TextConfigurationRealm (see my PR). In my case, just like [~cbchd] and [~apachexx], I had registered my own custom Realm implementation as a @Component, which would register the Realm as its' implementation and qualify it with all interfaces it implements, including Authorizer. One workaround is to explicitly register an Authorizer bean with name "authorizer", as mentioned before, instead of relying on the default implementation. A better workaround IMO is to register all Realms as Realm (the interface) rather than it's implementation. That means not making them @Component's but instead register them as @Bean's with return type Realm.
My suggested fix would be to determine missing beans by name rather than type, which would allow for an AuthorizingRealm to be registered as a @Component without having it override the default Authorizer. I think it makes sense since the default SecurityManager even requires a named bean anyway. I have made a [pull request|https://github.com/apache/shiro/pull/191] - what are your thoughts?
As a sidenote, I think it would be good to use less generic bean names in future releases (although that would be a breaking change). Names such as "sessionFactory" run a very high risk of conflicting with other configurations.
was (Author: iswer1):
The problem comes from having one or more Realms registered that also qualifies as Authorizer's (usually due to extending AuthorizingRealm). This causes the default Authorizer (ShiroWebAutoConfiguration#authorizer) not to be invoced due to there already being an Authorizer registered (@ConditionalOnMissingBean will only match the type if nothing else is specified). When the default SecurityManager bean is created (ShiroWebAutoConfiguration#securityManager) it expects a bean of type Authorizer and name "authorizer", but the registered Realms' name most likely doesn't match that, hence the error: "No bean named 'authorizer' available".
The issue is easy to reproduce, in ShiroWebAutoConfigurationTestApplication#getTextConfigurationRealm, change the return type from Realm to TextConfigurationRealm (see my PR). In my case, just like [~cbchd] and [~apachexx], I had registered my own custom Realm implementation as a @Component, which would register the Realm as its' implementation and qualify it with all interfaces it implements, including Authorizer. One workaround is to explicitly register an Authorizer bean with name "authorizer", as mentioned before, instead of relying on the default implementation. A better workaround IMO is to register all Realms as Realm (the interface) rather than it's implementation. That means not making them @Component's but instead register them as @Bean's with return type Realm.
My suggested fix would be to determine missing beans by name rather than type, which would allow for an AuthorizingRealm to be registered as a @Component without having it override the default Authorizer. I think it makes sense since the default SecurityManager even requires a named bean anyway. I have made a [pull request|https://github.com/apache/shiro/pull/191] - what are your thoughts?
As a sidenote, I think it would be good to use less generic bean names in future releases (although that would be a breaking change). Names such as "sessionFactory" run a very high risk of conflicting with other configurations.
> something wrong with shiro-spring-boot-web-starter,it did not auto register securityManager???
> ----------------------------------------------------------------------------------------------
>
> Key: SHIRO-627
> URL: https://issues.apache.org/jira/browse/SHIRO-627
> Project: Shiro
> Issue Type: Question
> Components: Sample Apps
> Affects Versions: 1.4.0
> Environment: windows 7 64bit
> jdk 1.8
> Reporter: hujie
> Assignee: Francois Papon
> Priority: Major
> Labels: starter
> Fix For: 1.5.1
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {code}
> 2017-06-26 19:59:22.126 INFO 6576 --- [ main] c.p.s.Jsr303HibernateValidateApplication : Starting Jsr303HibernateValidateApplication on hujie-PC with PID 6576 (D:\jee-git-repo\study\JSR303-Hibernate-Validate\target\classes started by hujie in D:\jee-git-repo\study\JSR303-Hibernate-Validate)
> 2017-06-26 19:59:22.150 INFO 6576 --- [ main] c.p.s.Jsr303HibernateValidateApplication : No active profile set, falling back to default profiles: default
> 2017-06-26 19:59:22.232 INFO 6576 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@539d019: startup date [Mon Jun 26 19:59:22 CST 2017]; root of context hierarchy
> 2017-06-26 19:59:23.586 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.apache.shiro.spring.boot.autoconfigure.ShiroBeanAutoConfiguration' of type [class org.apache.shiro.spring.boot.autoconfigure.ShiroBeanAutoConfiguration$$EnhancerBySpringCGLIB$$51c46c26] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:23.624 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'eventBus' of type [class org.apache.shiro.event.support.DefaultEventBus] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:23.730 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.apache.shiro.spring.config.web.autoconfigure.ShiroWebAutoConfiguration' of type [class org.apache.shiro.spring.config.web.autoconfigure.ShiroWebAutoConfiguration$$EnhancerBySpringCGLIB$$7660cc90] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:23.772 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'localRealm' of type [class cn.points.study.shiro.realms.LocalRealm$$EnhancerBySpringCGLIB$$b0c600bf] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.032 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'sessionStorageEvaluator' of type [class org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.034 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'subjectDAO' of type [class org.apache.shiro.mgt.DefaultSubjectDAO] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.038 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'subjectFactory' of type [class org.apache.shiro.web.mgt.DefaultWebSubjectFactory] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.044 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'rememberMeCookieTemplate' of type [class org.apache.shiro.web.servlet.SimpleCookie] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.049 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'rememberMeManager' of type [class org.apache.shiro.web.mgt.CookieRememberMeManager] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.055 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'authenticationStrategy' of type [class org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.060 INFO 6576 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'authenticator' of type [class org.apache.shiro.authc.pam.ModularRealmAuthenticator] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
> 2017-06-26 19:59:24.062 WARN 6576 --- [ main] ationConfigEmbeddedWebApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.shiro.spring.config.web.autoconfigure.ShiroWebFilterConfiguration': Unsatisfied dependency expressed through field 'securityManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'securityManager' defined in class path resource [org/apache/shiro/spring/config/web/autoconfigure/ShiroWebAutoConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.shiro.mgt.SessionsSecurityManager]: Factory method 'securityManager' threw exception; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'authorizer' is defined
> 2017-06-26 19:59:24.143 ERROR 6576 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
> ***************************
> APPLICATION FAILED TO START
> ***************************
> Description:
> Field securityManager in org.apache.shiro.spring.web.config.AbstractShiroWebFilterConfiguration required a bean named 'authorizer' that could not be found.
> {code}
> ********************************************************************************8
> {code}
> my boot properties :
> shiro.enabled=true
> shiro.web.enabled=true
> shiro.annotations.enabled=false
> shiro.loginUrl=/login.html
> shiro.successUrl=/
> shiro.unauthorizedUrl=/unauthorizedUrl.html
> shiro.userNativeSessionManager=true
> {code}
> I read code of shiro-spring-boot-web-starter,and shiro-spring-boot-starter,and i register one bean ,type of realm.
> {color:red}but I debug found there is not have securityManager???{color}
> why shiro samples did not register securityManager bean,but it can runing,
> sorry about my english.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)