You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by "Imam, Shams" <Sh...@sabre.com> on 2009/04/02 16:41:45 UTC
Subject reset when page refreshed with F5 the second time
Hi everyone,
I'm new to both Grails and JSecurity. I'm trying to integrate JSecurity
into our existing webapp.
I've implemented a custom Realm and am using a 'non-remember me' token.
My Account returns
string-based permissions.
Now to the actual problem I'm facing: Whenever I refresh a page using F5
on Firefox (haven't tested
on other browsers yet) my Subject gets reset the second time. However,
if I continue browsing the
pages by clicking on the various links my Subject doesn't get reset. Any
idea why this is happening
and how I can avoid the Subject reset?
Below is a summary of my grails bootstrap code and log outputs.
Code in Grails Bootstrap:
=========================
def init = {servletContext ->
println '--- BootStrap ---'
// Initialize the jSecurity realm
DefaultSecurityManager securityManager = new
DefaultSecurityManager();
securityManager.setRealm(new MyCustomRealm());
SecurityUtils.setSecurityManager(securityManager);
println '1a - ThreadContext.securityManager: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()
println '1b - ThreadContext.securityManager.subject: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()?.getSubject()
println '2 - SecurityUtils.securityManager.subject' +
org.jsecurity.SecurityUtils.securityManager?.getSubject()
}
Summary of Console Outputs:
===========================
--- BootStrap ---
1a - ThreadContext.securityManager: null
1b - ThreadContext.securityManager.subject: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@165391b
// The login page
session.originalRequestParams.zipcode = 76092
hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@13f8
66 with timeout 1800000 and principal null Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
// Login successful
Login: Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000
// Home page after login
hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER
// Refresh using F5 first time
hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER
// Refresh using F5 second time
hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc43
64 with timeout 1800000 and principal null Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@5c775d
lacksPermission:'admin|reviewer' -> true : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc43
64 with timeout 1800000 and principal null
Thanks,
Shams
RE: Subject reset when page refreshed with F5 the second time
Posted by "Imam, Shams" <Sh...@sabre.com>.
Hi Les,
Thanks for noticing that. As I'm said I'm new to grails too so wasn't
sure how to configure a 'Java' filter into the app (I wasn't seeing my
web.xml :-) )
Anyways a little more searching and I've figured how to do it and
followed your suggestion and configured the standard filter into the
web.xml.
All is working in my webapp as expected (so far at least :D ).
I'm not using the standard grails-jsecurity plug-in as I need instance
based authz and have different types of users which I'm validating
through my own Service classes.
On another note I'm finding JSecurity (Ki) much easier to use compared
to JAAS and am really enjoying using it.
The permissions are generated on runtime after the user has been logged
in. The WildcardPermission is working beautifully.
Thanks once again.
Shams.
________________________________
From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
Behalf Of Les Hazlewood
Sent: Friday, April 03, 2009 7:56 AM
To: jsecurity-user@incubator.apache.org
Subject: Re: Subject reset when page refreshed with F5 the second time
Hi Shams,
Your Groovy class "JSecurityFilters" doesn't appear to do everything
necessary. Look at the existing 'master' Filter here:
https://svn.apache.org/repos/asf/incubator/jsecurity/trunk/web/src/main/
java/org/apache/ki/web/servlet/KiFilter.java
It needs to wrap the servlet request and, depending on the sessionMode,
the servlet response for special 'interceptor' functionality.
I'm not a Grails user, so you'll have to excuse my ignorance, but why
aren't you using the standard KiFilter (was called JSecurityFilter)? I
was fairly certain that the Grails JSecurity plugin would enable it (but
I could be wrong).
Regards,
Les
On Thu, Apr 2, 2009 at 3:21 PM, Imam, Shams <Sh...@sabre.com>
wrote:
Careless on my part to not read the entire documentation. Seems I needed
to use DefaultWebSecurityManager and configure a filter.
Removed the bootstrap code and added a filter:
class JSecurityFilters {
SecurityManager securityManager = null;
SecurityManager getSecurityManager() {
if (securityManager == null) {
synchronized (JSecurityFilters.class) {
if (securityManager == null) {
// Initialize the jSecurity realm
securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(new MyCustomRealm());
SecurityUtils.setSecurityManager(securityManager);
}
}
}
return securityManager
}
def filters = {
securityFilter(controller: '*', action: '*') {
before = {
ThreadContext.bind(WebUtils.getInetAddress(request))
WebUtils.bind(request)
WebUtils.bind(response)
ThreadContext.bind(getSecurityManager())
ThreadContext.bind(getSecurityManager().getSubject())
return true
}
afterView = {
ThreadContext.unbindSubject()
ThreadContext.unbindSecurityManager()
WebUtils.unbindServletResponse()
WebUtils.unbindServletRequest()
ThreadContext.unbindInetAddress()
}
}
}
}
Stuff seems to be working for now unless I have missed other pointers ;)
Shams
________________________________
From: Imam, Shams [mailto:Shams.Imam.ctr@sabre.com]
Sent: Thursday, April 02, 2009 9:42 AM
To: jsecurity-user@incubator.apache.org
Subject: Subject reset when page refreshed with F5 the second time
Hi everyone,
I'm new to both Grails and JSecurity. I'm trying to integrate JSecurity
into our existing webapp.
I've implemented a custom Realm and am using a 'non-remember me' token.
My Account returns
string-based permissions.
Now to the actual problem I'm facing: Whenever I refresh a page using F5
on Firefox (haven't tested
on other browsers yet) my Subject gets reset the second time. However,
if I continue browsing the
pages by clicking on the various links my Subject doesn't get reset. Any
idea why this is happening
and how I can avoid the Subject reset?
Below is a summary of my grails bootstrap code and log outputs.
Code in Grails Bootstrap:
=========================
def init = {servletContext ->
println '--- BootStrap ---'
// Initialize the jSecurity realm
DefaultSecurityManager securityManager = new
DefaultSecurityManager();
securityManager.setRealm(new MyCustomRealm());
SecurityUtils.setSecurityManager(securityManager);
println '1a - ThreadContext.securityManager: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()
println '1b - ThreadContext.securityManager.subject: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()?.getSubject()
println '2 - SecurityUtils.securityManager.subject' +
org.jsecurity.SecurityUtils.securityManager?.getSubject()
}
Summary of Console Outputs:
===========================
--- BootStrap ---
1a - ThreadContext.securityManager: null
1b - ThreadContext.securityManager.subject: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@165391b
// The login page
session.originalRequestParams.zipcode = 76092
hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@13f8
66 with timeout 1800000 and principal null Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
// Login successful
Login: Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000
// Home page after login
hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER
// Refresh using F5 first time
hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER
// Refresh using F5 second time
hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc43
64 with timeout 1800000 and principal null Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@5c775d
lacksPermission:'admin|reviewer' -> true : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc43
64 with timeout 1800000 and principal null
Thanks,
Shams
Re: Subject reset when page refreshed with F5 the second time
Posted by Les Hazlewood <lh...@apache.org>.
Hi Shams,
Your Groovy class "JSecurityFilters" doesn't appear to do everything
necessary. Look at the existing 'master' Filter here:
https://svn.apache.org/repos/asf/incubator/jsecurity/trunk/web/src/main/java/org/apache/ki/web/servlet/KiFilter.java
It needs to wrap the servlet request and, depending on the sessionMode, the
servlet response for special 'interceptor' functionality.
I'm not a Grails user, so you'll have to excuse my ignorance, but why aren't
you using the standard KiFilter (was called JSecurityFilter)? I was fairly
certain that the Grails JSecurity plugin would enable it (but I could be
wrong).
Regards,
Les
On Thu, Apr 2, 2009 at 3:21 PM, Imam, Shams <Sh...@sabre.com>wrote:
>
>
>
>
> Careless on my part to not read the entire documentation. Seems I needed to
> use DefaultWebSecurityManager and configure a filter.
>
> Removed the bootstrap code and added a filter:
>
>
>
> class JSecurityFilters {
>
>
>
> SecurityManager securityManager = null;
>
>
>
> SecurityManager getSecurityManager() {
>
> if (securityManager == null) {
>
> synchronized (JSecurityFilters.class) {
>
> if (securityManager == null) {
>
> // Initialize the jSecurity realm
>
> securityManager = new DefaultWebSecurityManager();
>
> securityManager.setRealm(new MyCustomRealm());
>
> SecurityUtils.setSecurityManager(securityManager);
>
> }
>
> }
>
> }
>
> return securityManager
>
> }
>
>
>
> def filters = {
>
> securityFilter(controller: '*', action: '*') {
>
> before = {
>
> ThreadContext.bind(WebUtils.getInetAddress(request))
>
> WebUtils.bind(request)
>
> WebUtils.bind(response)
>
> ThreadContext.bind(getSecurityManager())
>
> ThreadContext.bind(getSecurityManager().getSubject())
>
>
>
> return true
>
> }
>
> afterView = {
>
>
>
> ThreadContext.unbindSubject()
>
> ThreadContext.unbindSecurityManager()
>
> WebUtils.unbindServletResponse()
>
> WebUtils.unbindServletRequest()
>
> ThreadContext.unbindInetAddress()
>
>
>
> }
>
> }
>
> }
>
> }
>
>
>
> Stuff seems to be working for now unless I have missed other pointers ;)
>
>
>
> Shams
>
>
> ------------------------------
>
> *From:* Imam, Shams [mailto:Shams.Imam.ctr@sabre.com]
> *Sent:* Thursday, April 02, 2009 9:42 AM
> *To:* jsecurity-user@incubator.apache.org
> *Subject:* Subject reset when page refreshed with F5 the second time
>
>
>
> Hi everyone,
>
> I'm new to both Grails and JSecurity. I'm trying to integrate JSecurity
> into our existing webapp.
>
> I've implemented a custom Realm and am using a 'non-remember me' token. My
> Account returns
>
> string-based permissions.
>
> Now to the actual problem I'm facing: Whenever I refresh a page using F5
> on Firefox (haven't tested
>
> on other browsers yet) my Subject gets reset the second time. However, if I
> continue browsing the
>
> pages by clicking on the various links my Subject doesn't get reset. Any
> idea why this is happening
>
> and how I can avoid the Subject reset?
>
> Below is a summary of my grails bootstrap code and log outputs.
>
> Code in Grails Bootstrap:
>
> =========================
>
> def init = {servletContext ->
>
> println '--- BootStrap ---'
>
>
>
> // Initialize the jSecurity realm
>
> DefaultSecurityManager securityManager = new
> DefaultSecurityManager();
>
> securityManager.setRealm(new MyCustomRealm());
>
> SecurityUtils.setSecurityManager(securityManager);
>
> println '1a - ThreadContext.securityManager: ' +
> org.jsecurity.util.ThreadContext.getSecurityManager()
>
> println '1b - ThreadContext.securityManager.subject: ' +
> org.jsecurity.util.ThreadContext.getSecurityManager()?.getSubject()
>
> println '2 - SecurityUtils.securityManager.subject' +
> org.jsecurity.SecurityUtils.securityManager?.getSubject()
>
> }
>
> Summary of Console Outputs:
>
> ===========================
>
> --- BootStrap ---
>
> 1a - ThreadContext.securityManager: null
>
> 1b - ThreadContext.securityManager.subject: null
>
> 2 -
> SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSubject@165391b
>
> // The login page
>
> session.originalRequestParams.zipcode = 76092
>
> hasPermission:'admin|reviewer' -> false : JSecurity Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@13f866with timeout 1800000 and
> principal null Grails session id: 4v2u9cqs9y4i
>
> 1a - ThreadContext.securityManager: null
>
> 2 -
> SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSubject@17ff60e
>
> // Login successful
>
> Login: Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5eewith timeout 1800000
>
> // Home page after login
>
> hasPermission:'admin|reviewer' -> true : JSecurity Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5eewith timeout 1800000 and
> principal Test:REVIEWER Grails session id: 4v2u9cqs9y4i
>
> 1a - ThreadContext.securityManager: null
>
> 2 -
> SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSubject@17ff60e
>
> lacksPermission:'admin|reviewer' -> false : Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5eewith timeout 1800000 and
> principal Test:REVIEWER
>
> // Refresh using F5 first time
>
> hasPermission:'admin|reviewer' -> true : JSecurity Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5eewith timeout 1800000 and
> principal Test:REVIEWER Grails session id: 4v2u9cqs9y4i
>
> 1a - ThreadContext.securityManager: null
>
> 2 -
> SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSubject@17ff60e
>
> lacksPermission:'admin|reviewer' -> false : Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5eewith timeout 1800000 and
> principal Test:REVIEWER
>
> // Refresh using F5 second time
>
> hasPermission:'admin|reviewer' -> false : JSecurity Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc4364with timeout 1800000 and
> principal null Grails session id: 4v2u9cqs9y4i
>
> 1a - ThreadContext.securityManager: null
>
> 2 -
> SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSubject@5c775d
>
> lacksPermission:'admin|reviewer' -> true : Session:
> org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc4364with timeout 1800000 and
> principal null
>
>
>
> Thanks,
>
> Shams
>
RE: Subject reset when page refreshed with F5 the second time
Posted by "Imam, Shams" <Sh...@sabre.com>.
Careless on my part to not read the entire documentation. Seems I needed
to use DefaultWebSecurityManager and configure a filter.
Removed the bootstrap code and added a filter:
class JSecurityFilters {
SecurityManager securityManager = null;
SecurityManager getSecurityManager() {
if (securityManager == null) {
synchronized (JSecurityFilters.class) {
if (securityManager == null) {
// Initialize the jSecurity realm
securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(new MyCustomRealm());
SecurityUtils.setSecurityManager(securityManager);
}
}
}
return securityManager
}
def filters = {
securityFilter(controller: '*', action: '*') {
before = {
ThreadContext.bind(WebUtils.getInetAddress(request))
WebUtils.bind(request)
WebUtils.bind(response)
ThreadContext.bind(getSecurityManager())
ThreadContext.bind(getSecurityManager().getSubject())
return true
}
afterView = {
ThreadContext.unbindSubject()
ThreadContext.unbindSecurityManager()
WebUtils.unbindServletResponse()
WebUtils.unbindServletRequest()
ThreadContext.unbindInetAddress()
}
}
}
}
Stuff seems to be working for now unless I have missed other pointers ;)
Shams
________________________________
From: Imam, Shams [mailto:Shams.Imam.ctr@sabre.com]
Sent: Thursday, April 02, 2009 9:42 AM
To: jsecurity-user@incubator.apache.org
Subject: Subject reset when page refreshed with F5 the second time
Hi everyone,
I'm new to both Grails and JSecurity. I'm trying to integrate JSecurity
into our existing webapp.
I've implemented a custom Realm and am using a 'non-remember me' token.
My Account returns
string-based permissions.
Now to the actual problem I'm facing: Whenever I refresh a page using F5
on Firefox (haven't tested
on other browsers yet) my Subject gets reset the second time. However,
if I continue browsing the
pages by clicking on the various links my Subject doesn't get reset. Any
idea why this is happening
and how I can avoid the Subject reset?
Below is a summary of my grails bootstrap code and log outputs.
Code in Grails Bootstrap:
=========================
def init = {servletContext ->
println '--- BootStrap ---'
// Initialize the jSecurity realm
DefaultSecurityManager securityManager = new
DefaultSecurityManager();
securityManager.setRealm(new MyCustomRealm());
SecurityUtils.setSecurityManager(securityManager);
println '1a - ThreadContext.securityManager: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()
println '1b - ThreadContext.securityManager.subject: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()?.getSubject()
println '2 - SecurityUtils.securityManager.subject' +
org.jsecurity.SecurityUtils.securityManager?.getSubject()
}
Summary of Console Outputs:
===========================
--- BootStrap ---
1a - ThreadContext.securityManager: null
1b - ThreadContext.securityManager.subject: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@165391b
// The login page
session.originalRequestParams.zipcode = 76092
hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@13f8
66 with timeout 1800000 and principal null Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
// Login successful
Login: Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000
// Home page after login
hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER
// Refresh using F5 first time
hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@17ff60e
lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cfd5
ee with timeout 1800000 and principal Test:REVIEWER
// Refresh using F5 second time
hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc43
64 with timeout 1800000 and principal null Grails session id:
4v2u9cqs9y4i
1a - ThreadContext.securityManager: null
2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
ject@5c775d
lacksPermission:'admin|reviewer' -> true : Session:
org.jsecurity.subject.DelegatingSubject$StoppingAwareProxiedSession@cc43
64 with timeout 1800000 and principal null
Thanks,
Shams