You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Richard Adams <ri...@researchspace.com> on 2013/03/14 18:42:20 UTC
configuring ssl access through spring
Hello,
We're making our Spring -MVC based web app run over Https, and use
Shiro pretty much out of the box. We're using Spring 3.2.
We've got some teething troubles getting it https set up on our
server so I'd like to 'eliminate from our enquiries' our Shiro config
- there's excellent docs on the shiro.ini file but for Spring XML
based config it's a little more sparse.
Specifically,
1) Is the setup below the correct way to add the 'ssl.enabled'
property to the config files?
2) How do we ensure that the /login URL works over HTTPS? Do we just
add it to the list of filterChainDefinitions, or does it need some
special treatment, or does Shiro automatically used ssl if possible?
E.g.,
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- override these for application-specific URLs if you like:-->
<property name="loginUrl" value="/login"/>
<property name="successUrl" value="/notebook"/>
<property name="unauthorizedUrl" value="login?error=true"/>
<property name="ssl.enabled" value="false"/>
<!-- The 'filters' property is not necessary since any declared
javax.servlet.Filter bean -->
<!-- defined will be automatically acquired and available via its
beanName in chain -->
<!-- definitions, but you can perform instance overrides or name
aliases here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
# some example chain definitions:
/images/**=anon
/videos/**=anon
/styles/**=anon
/scripts/**=anon
/admin/** = authc,ssl
/signup/** = anon
/** = authc,ssl
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
Many thanks
Richard
Richard Adams
richard@researchspace.com
Re: configuring ssl access through spring
Posted by Les Hazlewood <lh...@apache.org>.
Ah yes! I'm sorry I misunderstood you - it wasn't clear to me that
you wanted to override a setting for an individual filter (the example
you gave showed it as a main property of the ShiroFilterFactoryBean
and I guess that threw me off).
Yes, what you have done is the correct thing to do - the defaults
filters (with their default settings) are there only as a convenience
to those that can use them without config changes.
In Spring, you override it by placing a different instance in the map
(with the same name as the key), exactly as you have done.
Cheers,
Les
On Fri, Mar 15, 2013 at 6:03 AM, Richard Adams
<ri...@researchspace.com> wrote:
> OK, I've figured this out now -
> 1) Add spring util namespace to the file
> 2) Override the instance with your own bean, using as a key the name of the
> filter (ssl, anon, etc):
> <util:map>
> <!-- Overrides default sslFilter to better handle
> enablement/disablement -->
> <entry key="ssl" value-ref="ssl2"/>
> </util:map>
>
> <bean id="ssl2"
> class="com.axiope.webapp.filter.ShiroSslFilterMavenAgnostic">
> <property name="enabledOverride" value="${ssl.enabled}"/>
> </bean>
> In our case, we overrode the SslFilter to better handle input to the
> setEnabled() method - we're using Maven resource filtering, which doesn't
> work with jetty,
> so needed to handle the case where 'value' is an unresolved variable like
> ${ssl.enabled}. But of course you can just use Shiro's Ssl filter here too.
>
> Hope this thread is useful to someone at some point.
>
> Richard
>
> On 14 Mar 2013, at 17:42, Richard Adams wrote:
>
>> Hello,
>> We're making our Spring -MVC based web app run over Https, and use Shiro
>> pretty much out of the box. We're using Spring 3.2.
>> We've got some teething troubles getting it https set up on our server so
>> I'd like to 'eliminate from our enquiries' our Shiro config - there's
>> excellent docs on the shiro.ini file but for Spring XML based config it's a
>> little more sparse.
>>
>> Specifically,
>> 1) Is the setup below the correct way to add the 'ssl.enabled' property to
>> the config files?
>> 2) How do we ensure that the /login URL works over HTTPS? Do we just add
>> it to the list of filterChainDefinitions, or does it need some special
>> treatment, or does Shiro automatically used ssl if possible?
>>
>> E.g.,
>>
>> <bean id="shiroFilter"
>> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
>> <property name="securityManager" ref="securityManager"/>
>> <!-- override these for application-specific URLs if you like:-->
>>
>> <property name="loginUrl" value="/login"/>
>> <property name="successUrl" value="/notebook"/>
>> <property name="unauthorizedUrl" value="login?error=true"/>
>> <property name="ssl.enabled" value="false"/>
>> <!-- The 'filters' property is not necessary since any declared
>> javax.servlet.Filter bean -->
>> <!-- defined will be automatically acquired and available via its
>> beanName in chain -->
>> <!-- definitions, but you can perform instance overrides or name
>> aliases here if you like: -->
>> <!-- <property name="filters">
>> <util:map>
>> <entry key="anAlias" value-ref="someFilter"/>
>> </util:map>
>> </property> -->
>> <property name="filterChainDefinitions">
>> <value>
>> # some example chain definitions:
>> /images/**=anon
>> /videos/**=anon
>> /styles/**=anon
>> /scripts/**=anon
>> /admin/** = authc,ssl
>> /signup/** = anon
>> /** = authc,ssl
>> # more URL-to-FilterChain definitions here
>> </value>
>> </property>
>> </bean>
>>
>>
>> Many thanks
>>
>> Richard
>>
>> Richard Adams
>> richard@researchspace.com
>>
>>
>>
>>
>
> Richard Adams
> richard@researchspace.com
>
>
>
>
Re: configuring ssl access through spring
Posted by Richard Adams <ri...@researchspace.com>.
OK, I've figured this out now -
1) Add spring util namespace to the file
2) Override the instance with your own bean, using as a key the name
of the filter (ssl, anon, etc):
<util:map>
<!-- Overrides default sslFilter to better handle
enablement/disablement -->
<entry key="ssl" value-ref="ssl2"/>
</util:map>
<bean id="ssl2"
class="com.axiope.webapp.filter.ShiroSslFilterMavenAgnostic">
<property name="enabledOverride" value="${ssl.enabled}"/>
</bean>
In our case, we overrode the SslFilter to better handle input to the
setEnabled() method - we're using Maven resource filtering, which
doesn't work with jetty,
so needed to handle the case where 'value' is an unresolved variable
like ${ssl.enabled}. But of course you can just use Shiro's Ssl
filter here too.
Hope this thread is useful to someone at some point.
Richard
On 14 Mar 2013, at 17:42, Richard Adams wrote:
> Hello,
> We're making our Spring -MVC based web app run over Https, and use
> Shiro pretty much out of the box. We're using Spring 3.2.
> We've got some teething troubles getting it https set up on our
> server so I'd like to 'eliminate from our enquiries' our Shiro
> config - there's excellent docs on the shiro.ini file but for Spring
> XML based config it's a little more sparse.
>
> Specifically,
> 1) Is the setup below the correct way to add the 'ssl.enabled'
> property to the config files?
> 2) How do we ensure that the /login URL works over HTTPS? Do we just
> add it to the list of filterChainDefinitions, or does it need some
> special treatment, or does Shiro automatically used ssl if possible?
>
> E.g.,
>
> <bean id="shiroFilter"
> class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
> <property name="securityManager" ref="securityManager"/>
> <!-- override these for application-specific URLs if you like:-->
>
> <property name="loginUrl" value="/login"/>
> <property name="successUrl" value="/notebook"/>
> <property name="unauthorizedUrl" value="login?error=true"/>
> <property name="ssl.enabled" value="false"/>
> <!-- The 'filters' property is not necessary since any declared
> javax.servlet.Filter bean -->
> <!-- defined will be automatically acquired and available via its
> beanName in chain -->
> <!-- definitions, but you can perform instance overrides or name
> aliases here if you like: -->
> <!-- <property name="filters">
> <util:map>
> <entry key="anAlias" value-ref="someFilter"/>
> </util:map>
> </property> -->
> <property name="filterChainDefinitions">
> <value>
> # some example chain definitions:
> /images/**=anon
> /videos/**=anon
> /styles/**=anon
> /scripts/**=anon
> /admin/** = authc,ssl
> /signup/** = anon
> /** = authc,ssl
> # more URL-to-FilterChain definitions here
> </value>
> </property>
> </bean>
>
>
> Many thanks
>
> Richard
>
> Richard Adams
> richard@researchspace.com
>
>
>
>
Richard Adams
richard@researchspace.com
Re: configuring ssl access through spring
Posted by otter606 <ri...@researchspace.com>.
OK, well that config is wrong. ssl.enabled is in the wrong place, and I need
to explicitly add the redirect port number to the ssl value i.e.,
/admin/** = authc,ssl[8443]
So now I have ssl access enabled and a redirect is working, all is working
now.
But still struggling on how/where to put the ssl.enabled flag in a Spring
config, so we can easily switch between dev and production environments? In
a .ini file this goes in the 'main' section and I understand that somehow
the 'enabled' property of a OncePerRequestFilter needs to be set.
Any suggestions welcome, thank you.
Richard
--
View this message in context: http://shiro-user.582556.n2.nabble.com/configuring-ssl-access-through-spring-tp7578396p7578407.html
Sent from the Shiro User mailing list archive at Nabble.com.