You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Julien Muller <ju...@ezako.com> on 2011/10/31 14:01:23 UTC
Shiro and GWT
Hello,
I am evaluating security solutions for a GWT application.
I like the shiro approach since it seems simple and easy to plug to ldap,
but I am afraid I did not really find working examples or tutorial about
this context.
I acknowledge you cannot use shiro classes from client side (javascript),
but do not think this should be a problem.
My understanding about what I should do (simple version with local users
defined in shiro.ini):
- Add IniShiroFilter to my web.xml
- add shiro.ini with authc.loginUrl = login.html, users and urls.
- Add a login.html page
- I will handle rpc security afterwards passing credentials in my payload
and perform server side validation for each call.
Up to know, I can tell my shiro.ini is taken into account, the application
can forward to login.html, but then nothing else is done.
I have seen in this tutorial:
http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
that a custom servlet is implemented for login. It seems to me it should be
handled automatically by shiro (or not?).
Furthermore, shiro documentation let me believe that after login, the user
will be automatically redirected to his original request page, which is
definitely not the case during my tests.
Any help or guidance would be appreciated.
--
Best Regards,
Julien
Re: Shiro and GWT
Posted by Jared Bunting <ja...@peachjean.com>.
On 10/31/2011 03:42 PM, Julien Muller wrote:
> [urls]
> /login.html = anon
This is your problem. The authc filter will never see requests for
login.html, and therefore can't do an authentication. Delete this line
and I expect the issue will go away. authc has special handling for the
loginUrl page, so you don't have to worry about specifically including it.
> /* = authc
Re: Shiro and GWT
Posted by Kalle Korhonen <ka...@gmail.com>.
It's not a bug but a common gotcha. The url you are posting your login
request to and the login landing page differ, so you need an anon
configuration, otherwise you just get redirected indefinitely between
the login landing page and authentication filter. Check the resulting
html of your login.html and see what's the action url you are posting
to. Put that url as your authc.loginUrl configuration and it should
work assuming the rest of your configuration is ok.
Kalle
On Mon, Oct 31, 2011 at 4:59 PM, Julien Muller <ju...@ezako.com> wrote:
> Thanks you Jared for the answer.
> When I try to comment /login.html = anon, I get a browser error 310
> (net::ERR_TOO_MANY_REDIRECTS) for all my calls.
> Not sure why shiro seems to try to redirect me to the login page in an
> infinite loop.
> As a test, I tried to comment out authc.loginUrl = login.html and rename
> login.html to login.jsp. I know this is weird, but this made it work.
> I am using shiro 1.1.0, it now really looks like a bug to me. Not sure if
> this is linked to GWT at all. Something like "authc special handling" for
> login page only works with default name or jsp extension.
> Anyone encountered the same issue?
> --
>
> Best Regards,
> Julien
>
> 2011/10/31 Julien Muller <ju...@ezako.com>
>>
>> Hello,
>> Thanks for the replies, for some reasons I did not receive any mail from
>> the list, but I can see answers in the web based archive. I guess this is
>> due to my (very) recent subscription.
>>
>> Here is my web.xml:
>> <filter>
>> <filter-name>ShiroFilter</filter-name>
>> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
>> </filter>
>> <filter-mapping>
>> <filter-name>ShiroFilter</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> shiro.ini:
>> [main]
>> securityManager.sessionMode = native
>> authc.loginUrl = login.html
>>
>> [users]
>> julien = password, role1, role2
>>
>> [urls]
>> /login.html = anon
>> /* = authc
>>
>> Here is my login.html form:
>> <form action="" id="loginForm" method="post">
>> Username: <input type="text" name="username"/> <br/>
>> Password: <input type="password" name="password"/><br/>
>> <input type="checkbox" name="rememberMe" value="false"/>Remember Me?
>> <br/>
>> <input type="submit" name="submit" value="Login" />
>> </form>
>>
>> This is only an early test, in the futur I plan to move login.html to GWT
>> code and to manage RPC.
>> By now, I'd like to get this working the following way:
>> 1) User queries the application url
>> 2) User get redirected to the login page and provide credentials
>> 3) User is logged in and get redirected back to the application.
>> By now, I get stuck on the login page.
>>
>> Not sure why this does not work. At some point, I thought this might be
>> due to the embedded jetty server, but I get the same result once deployed on
>> tomcat.
>>
>> --
>>
>> Best Regards,
>> Julien
>>
>> 2011/10/31 Julien Muller <ju...@ezako.com>
>> >
>> > Hello,
>> > I am evaluating security solutions for a GWT application.
>> > I like the shiro approach since it seems simple and easy to plug to
>> > ldap, but I am afraid I did not really find working examples or tutorial
>> > about this context.
>> > I acknowledge you cannot use shiro classes from client side
>> > (javascript), but do not think this should be a problem.
>> > My understanding about what I should do (simple version with local users
>> > defined in shiro.ini):
>> > - Add IniShiroFilter to my web.xml
>> > - add shiro.ini with authc.loginUrl = login.html, users and urls.
>> > - Add a login.html page
>> > - I will handle rpc security afterwards passing credentials in my
>> > payload and perform server side validation for each call.
>> > Up to know, I can tell my shiro.ini is taken into account, the
>> > application can forward to login.html, but then nothing else is done.
>> > I have seen in this
>> > tutorial: http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
>> > that a custom servlet is implemented for login. It seems to me it should
>> > be handled automatically by shiro (or not?).
>> > Furthermore, shiro documentation let me believe that after login, the
>> > user will be automatically redirected to his original request page, which is
>> > definitely not the case during my tests.
>> > Any help or guidance would be appreciated.
>> > --
>> >
>> > Best Regards,
>> > Julien
>> >
>>
>
>
Re: Shiro and GWT
Posted by Julien Muller <ju...@ezako.com>.
Thanks you Jared for the answer.
When I try to comment /login.html = anon, I get a browser error 310 (
net::ERR_TOO_MANY_REDIRECTS) for all my calls.
Not sure why shiro seems to try to redirect me to the login page in an
infinite loop.
As a test, I tried to comment out authc.loginUrl = login.html and rename
login.html to login.jsp. I know this is weird, but this made it work.
I am using shiro 1.1.0, it now really looks like a bug to me. Not sure if
this is linked to GWT at all. Something like "authc special handling" for
login page only works with default name or jsp extension.
Anyone encountered the same issue?
--
Best Regards,
Julien
2011/10/31 Julien Muller <ju...@ezako.com>
> Hello,
> Thanks for the replies, for some reasons I did not receive any mail from
> the list, but I can see answers in the web based archive. I guess this is
> due to my (very) recent subscription.
>
> Here is my web.xml:
> <filter>
> <filter-name>ShiroFilter</filter-name>
> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> shiro.ini:
> [main]
> securityManager.sessionMode = native
> authc.loginUrl = login.html
>
> [users]
> julien = password, role1, role2
>
> [urls]
> /login.html = anon
> /* = authc
>
> Here is my login.html form:
> <form action="" id="loginForm" method="post">
> Username: <input type="text" name="username"/> <br/>
> Password: <input type="password" name="password"/><br/>
> <input type="checkbox" name="rememberMe" value="false"/>Remember Me?
> <br/>
> <input type="submit" name="submit" value="Login" />
> </form>
>
> This is only an early test, in the futur I plan to move login.html to GWT
> code and to manage RPC.
> By now, I'd like to get this working the following way:
> 1) User queries the application url
> 2) User get redirected to the login page and provide credentials
> 3) User is logged in and get redirected back to the application.
> By now, I get stuck on the login page.
>
> Not sure why this does not work. At some point, I thought this might be
> due to the embedded jetty server, but I get the same result once deployed
> on tomcat.
>
> --
>
> Best Regards,
> Julien
>
>
> 2011/10/31 Julien Muller <ju...@ezako.com>
> >
> > Hello,
> > I am evaluating security solutions for a GWT application.
> > I like the shiro approach since it seems simple and easy to plug to
> ldap, but I am afraid I did not really find working examples or tutorial
> about this context.
> > I acknowledge you cannot use shiro classes from client side
> (javascript), but do not think this should be a problem.
> > My understanding about what I should do (simple version with local users
> defined in shiro.ini):
> > - Add IniShiroFilter to my web.xml
> > - add shiro.ini with authc.loginUrl = login.html, users and urls.
> > - Add a login.html page
> > - I will handle rpc security afterwards passing credentials in my
> payload and perform server side validation for each call.
> > Up to know, I can tell my shiro.ini is taken into account, the
> application can forward to login.html, but then nothing else is done.
> > I have seen in this tutorial:
> http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
> > that a custom servlet is implemented for login. It seems to me it should
> be handled automatically by shiro (or not?).
> > Furthermore, shiro documentation let me believe that after login, the
> user will be automatically redirected to his original request page, which
> is definitely not the case during my tests.
> > Any help or guidance would be appreciated.
> > --
> >
> > Best Regards,
> > Julien
> >
>
>
Re: Shiro and GWT
Posted by Julien Muller <ju...@ezako.com>.
Hello,
Thanks for the replies, for some reasons I did not receive any mail from
the list, but I can see answers in the web based archive. I guess this is
due to my (very) recent subscription.
Here is my web.xml:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
shiro.ini:
[main]
securityManager.sessionMode = native
authc.loginUrl = login.html
[users]
julien = password, role1, role2
[urls]
/login.html = anon
/* = authc
Here is my login.html form:
<form action="" id="loginForm" method="post">
Username: <input type="text" name="username"/> <br/>
Password: <input type="password" name="password"/><br/>
<input type="checkbox" name="rememberMe" value="false"/>Remember Me? <br/>
<input type="submit" name="submit" value="Login" />
</form>
This is only an early test, in the futur I plan to move login.html to GWT
code and to manage RPC.
By now, I'd like to get this working the following way:
1) User queries the application url
2) User get redirected to the login page and provide credentials
3) User is logged in and get redirected back to the application.
By now, I get stuck on the login page.
Not sure why this does not work. At some point, I thought this might be due
to the embedded jetty server, but I get the same result once deployed on
tomcat.
--
Best Regards,
Julien
2011/10/31 Julien Muller <ju...@ezako.com>
>
> Hello,
> I am evaluating security solutions for a GWT application.
> I like the shiro approach since it seems simple and easy to plug to ldap,
but I am afraid I did not really find working examples or tutorial about
this context.
> I acknowledge you cannot use shiro classes from client side (javascript),
but do not think this should be a problem.
> My understanding about what I should do (simple version with local users
defined in shiro.ini):
> - Add IniShiroFilter to my web.xml
> - add shiro.ini with authc.loginUrl = login.html, users and urls.
> - Add a login.html page
> - I will handle rpc security afterwards passing credentials in my payload
and perform server side validation for each call.
> Up to know, I can tell my shiro.ini is taken into account, the
application can forward to login.html, but then nothing else is done.
> I have seen in this tutorial:
http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
> that a custom servlet is implemented for login. It seems to me it should
be handled automatically by shiro (or not?).
> Furthermore, shiro documentation let me believe that after login, the
user will be automatically redirected to his original request page, which
is definitely not the case during my tests.
> Any help or guidance would be appreciated.
> --
>
> Best Regards,
> Julien
>
Re: Shiro and GWT
Posted by Nicolas Antoniazzi <ni...@gmail.com>.
I implemented the Security with Shiro in my web app, but with my own
redirection mechanism (not using shiro.ini).
All is done through RPC calls (no need to have a new page for login, better
for integration).
I made a gwt page (Activity if you use recent patterns recommendations),
plugged on a #!login token in url.
On client side, all my RPC methods interfaces can throws a
RemoteServiceException.
On server side, I have a common entry point that catch all services
Exceptions, especially Shiro ones. When a shiro exception is caught, I
rethrow it with a RemoteServiceException + a special flag that indicate
that it is a security exception (for the client side)
I overloaded the AsyncCallback<> object on client side. It is the common
point to all RPC responses. You can check that you have a
RemoteServiceException with a Shiro flag in it, and in this case, redirect
your client on the GWT login page.
Hope it can help.
Nicolas.
2011/10/31 Julien Muller <ju...@ezako.com>
> Hello,
>
> I am evaluating security solutions for a GWT application.
> I like the shiro approach since it seems simple and easy to plug to ldap,
> but I am afraid I did not really find working examples or tutorial about
> this context.
>
> I acknowledge you cannot use shiro classes from client side (javascript),
> but do not think this should be a problem.
>
> My understanding about what I should do (simple version with local users
> defined in shiro.ini):
> - Add IniShiroFilter to my web.xml
> - add shiro.ini with authc.loginUrl = login.html, users and urls.
> - Add a login.html page
> - I will handle rpc security afterwards passing credentials in my payload
> and perform server side validation for each call.
>
> Up to know, I can tell my shiro.ini is taken into account, the application
> can forward to login.html, but then nothing else is done.
> I have seen in this tutorial:
> http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
> that a custom servlet is implemented for login. It seems to me it should
> be handled automatically by shiro (or not?).
>
> Furthermore, shiro documentation let me believe that after login, the user
> will be automatically redirected to his original request page, which is
> definitely not the case during my tests.
>
> Any help or guidance would be appreciated.
>
> --
>
> Best Regards,
>
> Julien
>
>
Re: Shiro and GWT
Posted by Jared Bunting <ja...@peachjean.com>.
Can you share your ini config?
On Oct 31, 2011 8:01 AM, "Julien Muller" <ju...@ezako.com> wrote:
Hello,
I am evaluating security solutions for a GWT application.
I like the shiro approach since it seems simple and easy to plug to ldap,
but I am afraid I did not really find working examples or tutorial about
this context.
I acknowledge you cannot use shiro classes from client side (javascript),
but do not think this should be a problem.
My understanding about what I should do (simple version with local users
defined in shiro.ini):
- Add IniShiroFilter to my web.xml
- add shiro.ini with authc.loginUrl = login.html, users and urls.
- Add a login.html page
- I will handle rpc security afterwards passing credentials in my payload
and perform server side validation for each call.
Up to know, I can tell my shiro.ini is taken into account, the application
can forward to login.html, but then nothing else is done.
I have seen in this tutorial:
http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540
that a custom servlet is implemented for login. It seems to me it should be
handled automatically by shiro (or not?).
Furthermore, shiro documentation let me believe that after login, the user
will be automatically redirected to his original request page, which is
definitely not the case during my tests.
Any help or guidance would be appreciated.
--
Best Regards,
Julien