You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by shannon <tm...@gmail.com> on 2013/02/07 14:44:18 UTC

Shiro and Jboss Seam 2.2 integration

Dear community,


I am working on a project using Jboss 4.2.3 with Seam framework and Shiro
1.2.
The architecture is mainly using restful webservices (resteasy). In this
framework, there is a general authenticator, which is called on every single
rest request. Of course, i would like to support multiple 
users at the same time, so i decided to deactivate session handling of shiro
by the following code:

*((DefaultSessionStorageEvaluator)((DefaultSubjectDAO)((DefaultSecurityManager)SecurityUtils.getSecurityManager()).getSubjectDAO()).getSessionStorageEvaluator()).setSessionStorageEnabled(false);*
	
The class that is called on each webservice (rest) request is implemented in
the following way:
-----snippet (Authenticator) begin------
	Subject currentUser = SecurityUtils.getSubject();
    	UsernamePasswordToken usernamePasswordToken = new
UsernamePasswordToken(username, password);
    	usernamePasswordToken.setRememberMe(false);
    	String ipAddress = "";
    	HttpServletRequest httpRequest =
ServletContexts.instance().getRequest();
	currentUser.login(usernamePasswordToken);
	loginSuccessful = true;
	return currentUser.isAuthenticated();
-----snippet end-------

My question is now - is this the right way how to do that?

Many thanx in advance for any suggestion/hint.

br
shannon



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-Jboss-Seam-2-2-integration-tp7578239.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Shiro and Jboss Seam 2.2 integration

Posted by Les Hazlewood <lh...@apache.org>.

Hi Shannon,

That is one way to do it, but I think a (much) easier way is to
configure this in a configuration mechanism.  For example, with
shiro.ini:

securityManager.subjectDao.sessionStorageEvaluator.sessionStorageEnabled = false

Or you could use Spring or JBoss beans.xml or whatever else you prefer.

This prevents Shiro from storing data in sessions for all Subjects -
this may or may not be desirable for you if you have a UI for example.
 For all REST requests, this should be fine however.

But note:  this only prevents _Shiro_ itself from using the Session
for its own storage needs.  It does not prevent you (or other
developers on your team) from starting a session by calling
subject.getSession() or httpServletRequest.getSession().

But you can enforce this as well.  If you want to _guarantee_ that
sessions won't be used, and not just by Shiro, but _any_ 3rd party
framework or even your own development team (which I think is a really
good idea if you want to enforce statelessness for a REST API), you
should use Shiro's NoSessionCreationFilter:

http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/web/filter/session/NoSessionCreationFilter.html

This will throw a DisabledSessionException if anyone or anything tries
to create a Session - really handy for enforcing statelessness.  You'd
be surprised by the things that use the session without your
knowledge.

Note that this will only work if defined _after_ the root ShiroFilter
in the filter chain.  Any 3rd party servlet that might sit 'higher' in
the FilterChain above the NoSessionCreationFilter can still create
sessions.  This is one of many reasons why we suggest that the
ShiroFilter sit at the top of the filter chain and you define all
other Filters after it.

Finally, this is all covered in documentation:

http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%2528Sessionless%2529

and

http://shiro.apache.org/session-management.html#SessionManagement-WebApplications

HTH,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Thu, Feb 7, 2013 at 5:44 AM, shannon <tm...@gmail.com> wrote:
> Dear community,
>
>
> I am working on a project using Jboss 4.2.3 with Seam framework and Shiro
> 1.2.
> The architecture is mainly using restful webservices (resteasy). In this
> framework, there is a general authenticator, which is called on every single
> rest request. Of course, i would like to support multiple
> users at the same time, so i decided to deactivate session handling of shiro
> by the following code:
>
> *((DefaultSessionStorageEvaluator)((DefaultSubjectDAO)((DefaultSecurityManager)SecurityUtils.getSecurityManager()).getSubjectDAO()).getSessionStorageEvaluator()).setSessionStorageEnabled(false);*
>
> The class that is called on each webservice (rest) request is implemented in
> the following way:
> -----snippet (Authenticator) begin------
>         Subject currentUser = SecurityUtils.getSubject();
>         UsernamePasswordToken usernamePasswordToken = new
> UsernamePasswordToken(username, password);
>         usernamePasswordToken.setRememberMe(false);
>         String ipAddress = "";
>         HttpServletRequest httpRequest =
> ServletContexts.instance().getRequest();
>         currentUser.login(usernamePasswordToken);
>         loginSuccessful = true;
>         return currentUser.isAuthenticated();
> -----snippet end-------
>
> My question is now - is this the right way how to do that?
>
> Many thanx in advance for any suggestion/hint.
>
> br
> shannon
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-and-Jboss-Seam-2-2-integration-tp7578239.html
> Sent from the Shiro User mailing list archive at Nabble.com.