You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Dan Rollo <da...@gmail.com> on 2013/01/09 23:36:04 UTC
AuthenticatingFilter lifecycle when used in [urls]?
I'm working on integrating Negotiate authentication via waffle into Shiro.
For starters I just extend BasicHttpAuthenticationFilter (will probably
change to AuthenticatingFilter later), and supply my own
onAccessDenied() method.
The problem I'm having is there is never a call to init() (nor
onFilterConfigSet(), nor setFilterConfig()) that I can use to do some
one time initialisation that requires access to the servletContext and
filterConfig.
I'm guessing (wildly) that these events are never called because I only
configure this filter in the shiro.ini in the [urls] section, like:
[urls]
login.jsp = waffleFilter, authc
/logout = logout
/* = waffleFilter, authc
I was trying to keep this filter simple (like the built in filter
classes I see in: org.apache.shiro.web.filter.authc. Do I need to
configure something more in shiro.ini to make cause the "init()" calls
to occur on my filter?
Once I have the init event figured out, I will soon need access to the
equivalent of the FilterChain arg in javax.servlet.Filter.doFilter().
Thanks!
Dan
Re: AuthenticatingFilter lifecycle when used in [urls]?
Posted by Les Hazlewood <lh...@apache.org>.
Hi Dan,
If you implement org.apache.shiro.util.Initializable that should be
all that is necessary. init() is called on Initializable instances
after they're fully configured in the [main] section.
However, after looking at some code (briefly), it appears that this
_may_ not occur in all cases. If you see that it does not, can you
please ping us asap? I can get a fix out quickly if so. Also, what
version are you using?
Cheers,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Wed, Jan 9, 2013 at 2:36 PM, Dan Rollo <da...@gmail.com> wrote:
> I'm working on integrating Negotiate authentication via waffle into Shiro.
>
> For starters I just extend BasicHttpAuthenticationFilter (will probably
> change to AuthenticatingFilter later), and supply my own onAccessDenied()
> method.
>
> The problem I'm having is there is never a call to init() (nor
> onFilterConfigSet(), nor setFilterConfig()) that I can use to do some one
> time initialisation that requires access to the servletContext and
> filterConfig.
>
> I'm guessing (wildly) that these events are never called because I only
> configure this filter in the shiro.ini in the [urls] section, like:
>
> [urls]
> login.jsp = waffleFilter, authc
> /logout = logout
> /* = waffleFilter, authc
>
>
> I was trying to keep this filter simple (like the built in filter classes I
> see in: org.apache.shiro.web.filter.authc. Do I need to configure something
> more in shiro.ini to make cause the "init()" calls to occur on my filter?
>
>
> Once I have the init event figured out, I will soon need access to the
> equivalent of the FilterChain arg in javax.servlet.Filter.doFilter().
>
> Thanks!
> Dan
Re: AuthenticatingFilter lifecycle when used in [urls]?
Posted by Les Hazlewood <lh...@apache.org>.
Hi Dan,
Just a quick notice - I hope to take a closer look at this this week,
hopefully no later than the weekend.
Thanks for keeping us posted and providing more information - it is greatly
appreciated!
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Tue, Jan 29, 2013 at 9:22 AM, bhamail <da...@gmail.com> wrote:
> Hi Les,
>
> FWIW, after digging into this some more, it appears the problem of not
> calling init() on Initializable's is NOT a problem for Realm subclasses,
> but
> it IS a problem for Filter subclasses.
>
> For example,
> org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(Ini
> ini, Ini.Section mainSection) ensure Realms are init'ed by the call to
> IniSecurityManagerFactory.initRealms(securityManager) - which invokes
> Initializable.init().
>
> However, Filter subclasses do not get init'ed. Only the
> org.apache.shiro.web.servlet.AbstractFilter.init(FilterConfig filterConfig)
> is called by a web server class (tomcat6:
> org.apache.catalina.core.ApplicationFilterConfig().getFilter():295). This
> call to AbstractFilter.init(FilterConfig filterConfig) results in a call to
> an init() method (however, this init() method is NOT an impl of
> Initializable, it is: "AbstractShiroFilter.init() throws Exception").
>
> Also, only the single "uber" ShiroFilter instance gets this call from
> ....catalina.core.ApplicationFilterConfig().getFilter() (no Filter
> subclasses get this call).
>
>
> All this said, I'm not at all certain my Filter implementation is correct
> (and maybe much of my filter logic should either be moved to a Realm OR my
> filter should make use of the Servlet Filter delegate redesign I saw
> mentioned elsewhere -> a design change that would make it easier to reuse
> existing Tomcat filters as it - which is basically exactly what I am trying
> to do). I saw this, because the reason I needed the init() call was to make
> sure the FilterConfig info was available for the Servlet Filter instance I
> am delegating to. I guess such a redesign may still have need for this sort
> of "init()" event anyway....
>
> Could you point me to the Servlet Filter Delegate changes? Are they only in
> trunk?
>
> Thanks,
> Dan
>
>
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/AuthenticatingFilter-lifecycle-when-used-in-urls-tp7578146p7578216.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: AuthenticatingFilter lifecycle when used in [urls]?
Posted by bhamail <da...@gmail.com>.
Hi Les,
FWIW, after digging into this some more, it appears the problem of not
calling init() on Initializable's is NOT a problem for Realm subclasses, but
it IS a problem for Filter subclasses.
For example,
org.apache.shiro.config.IniSecurityManagerFactory.createSecurityManager(Ini
ini, Ini.Section mainSection) ensure Realms are init'ed by the call to
IniSecurityManagerFactory.initRealms(securityManager) - which invokes
Initializable.init().
However, Filter subclasses do not get init'ed. Only the
org.apache.shiro.web.servlet.AbstractFilter.init(FilterConfig filterConfig)
is called by a web server class (tomcat6:
org.apache.catalina.core.ApplicationFilterConfig().getFilter():295). This
call to AbstractFilter.init(FilterConfig filterConfig) results in a call to
an init() method (however, this init() method is NOT an impl of
Initializable, it is: "AbstractShiroFilter.init() throws Exception").
Also, only the single "uber" ShiroFilter instance gets this call from
....catalina.core.ApplicationFilterConfig().getFilter() (no Filter
subclasses get this call).
All this said, I'm not at all certain my Filter implementation is correct
(and maybe much of my filter logic should either be moved to a Realm OR my
filter should make use of the Servlet Filter delegate redesign I saw
mentioned elsewhere -> a design change that would make it easier to reuse
existing Tomcat filters as it - which is basically exactly what I am trying
to do). I saw this, because the reason I needed the init() call was to make
sure the FilterConfig info was available for the Servlet Filter instance I
am delegating to. I guess such a redesign may still have need for this sort
of "init()" event anyway....
Could you point me to the Servlet Filter Delegate changes? Are they only in
trunk?
Thanks,
Dan
--
View this message in context: http://shiro-user.582556.n2.nabble.com/AuthenticatingFilter-lifecycle-when-used-in-urls-tp7578146p7578216.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: AuthenticatingFilter lifecycle when used in [urls]?
Posted by Les Hazlewood <lh...@apache.org>.
Hi Dan,
It is a quick fix, but I don't yet have a good idea for _where_ the code
should execute. It *could* be in the ReflectionBuilder, or a little higher
in the stack, like an Environment implementation or
IniSecurityManagerFactory. IniSecurityManagerFactory is really being
superseded by the Environment concept, but it has to work in a backwards
compatible way.
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Thu, Jan 24, 2013 at 12:30 AM, bhamail <da...@gmail.com> wrote:
> Ping.
>
> I created the requested Jira (see prior post).
> Is there a place I could start digging to help fix this issue? Les
> mentioned
> it was likely a quick fix.
>
> Thanks,
> Dan
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/AuthenticatingFilter-lifecycle-when-used-in-urls-tp7578146p7578201.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: AuthenticatingFilter lifecycle when used in [urls]?
Posted by bhamail <da...@gmail.com>.
Ping.
I created the requested Jira (see prior post).
Is there a place I could start digging to help fix this issue? Les mentioned
it was likely a quick fix.
Thanks,
Dan
--
View this message in context: http://shiro-user.582556.n2.nabble.com/AuthenticatingFilter-lifecycle-when-used-in-urls-tp7578146p7578201.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: AuthenticatingFilter lifecycle when used in [urls]?
Posted by bhamail <da...@gmail.com>.
Done:
https://issues.apache.org/jira/browse/SHIRO-413
--
View this message in context: http://shiro-user.582556.n2.nabble.com/AuthenticatingFilter-lifecycle-when-used-in-urls-tp7578146p7578169.html
Sent from the Shiro User mailing list archive at Nabble.com.