You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by gcollins <ga...@gmail.com> on 2011/07/28 23:52:31 UTC

SecurityManager Null Issue In Web App

Hello,

I just started with Shiro. I am running Shiro to supply security for a web
application in OSGi (Karaf). Since I need OSGi compatibility I am using the
latest nightly build from Hudson (I understand there are some unreleased
fixes related to OSGi).

I got a simple basic authentication example working very quickly (which is
great! - easier that getting Spring Security working in OSGi). My next test
was to add the ssl filter which didn't turn out so well.

My shiro.ini:

# INI configuration is very powerful and flexible, while still remaining
succinct.
# Please http://shiro.apache.org/configuration.html and
# http://shiro.apache.org/web.html for more.

[main]
ssl.port = 8443

[users]
<default users from shiro web example>

[roles]
<default roles from shiro web example>

[urls]
/** = ssl,authcBasic

web.xml (following the example):
.
.
  	<listener>
	
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
	</listener>
.
  <filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>ShiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
.
When I try to access the web page I am getting a null pointer exception:

java.lang.NullPointerException
	at
org.apache.shiro.web.servlet.AbstractShiroFilter.isHttpSessions(AbstractShiroFilter.java:199)
	at
org.apache.shiro.web.servlet.AbstractShiroFilter.wrapServletRequest(AbstractShiroFilter.java:211)
	at
org.apache.shiro.web.servlet.AbstractShiroFilter.prepareServletRequest(AbstractShiroFilter.java:233)
	at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:356)
	at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

and when I looked in the code, it looks like the security manager is not
set:

    protected boolean isHttpSessions() {
        return getSecurityManager().isHttpSessionMode(); << here
    }

After checking the example again, it is still not obvious (at least to me
:)) what I missed. Shouldn't the EnvironmentLoaderLister be setting the
security manager? If anyone could point me in the right direction it would
be much appreciated.

thanks in advance,
Gareth





--
View this message in context: http://shiro-user.582556.n2.nabble.com/SecurityManager-Null-Issue-In-Web-App-tp6631506p6631506.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: SecurityManager Null Issue In Web App

Posted by Les Hazlewood <lh...@apache.org>.

Ah yes - it is marked as optional because it is only needed for ini
configuration.  If you configure Shiro via another means (Spring,
Guice, etc), beanutils is not necessary.

Cheers,

Les

Re: SecurityManager Null Issue In Web App

Posted by gcollins <ga...@gmail.com>.

Hello,

My apologies. I found what the problem was. It was an OSGI refresh issue.

shiro-core has an optional dependency on commons-beanutils. I didn't realise
this until I had already loaded the shiro bundles and had done some initial
tests.
When I added the commons-beanutils bundle (after realising it was now
required),
shiro-core didn't automatically pick up the now available commons-beanutils,
thus it
could not initialize my servlet correctly.

To fix the problem, I needed to explicitly "refresh" the shiro-core bundle.

regards,
Gareth





--
View this message in context: http://shiro-user.582556.n2.nabble.com/SecurityManager-Null-Issue-In-Web-App-tp6631506p6632033.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: SecurityManager Null Issue In Web App

Posted by Les Hazlewood <lh...@apache.org>.

Hi Gareth,

Welcome to the Shiro community!  I'm sorry that you've come across a
bump.  Are you running the latest trunk snapshot?

And yes, the EnvironmentLoaderListener should be setting the SecurityManager.

In the meantime, I'll try this out myself and see what happens...

Regards,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com