You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by sudheer kumar komirishetty <ko...@gmail.com> on 2013/01/07 15:37:05 UTC

Session Management For SOAP/REST APIs

Hi,

I am a newbie to Shiro. I would like to know how can achieve session
management for handling SOAP/REST calls.
Is there any sample project that I can refer ?

Thanks in Advance,
Sudheer.

Re: Session Management For SOAP/REST APIs

Posted by Paulo Pires <pj...@ubiwhere.com>.

With container session management, the client must provide the cookie 
that the first request (usually log-in) returns.

PP

On 01/08/2013 04:49 AM, sudheer kumar komirishetty wrote:
> Thanks Paulo.
>
> One more question though: For a single REST / SOAP call we could rely 
> on the container session or native shiro session, but how can we 
> maintain a session across multiple REST/SOAP calls ? Do we have to 
> write our custom logic similar to ThreadContext that is provided by Shiro.
>
> Regards,
> Sudheer.
>
> On Mon, Jan 7, 2013 at 8:23 PM, Paulo Pires <pjpires@ubiwhere.com 
> <ma...@ubiwhere.com>> wrote:
>
>     Btw, shiro.ini is a little bit outdated, since I was using Shiro
>     1.2.0 which had a bug with password matching, temporarily fixed by
>     Les (
>     passwordMatcher=org.apache.shiro.authc.credential.TempFixPasswordMatcher).
>     You can change to the original PasswordMatcher as this was fixed
>     in 1.2.1.
>
>     Also, I've simplified the datasource configuration in order to use
>     a JDBC Resource from my container (through JNDI):
>
>         ds = org.apache.shiro.jndi.JndiObjectFactory
>         ds.resourceName = jdbc/myDS
>
>         ## the actual authentication realm
>         jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
>         jdbcRealm.permissionsLookupEnabled = true
>         jdbcRealm.authenticationQuery = SELECT password FROM
>         public.USERS WHERE username = ?
>         jdbcRealm.userRolesQuery = SELECT role_name FROM
>         public.USERS_ROLES WHERE username = ?
>         jdbcRealm.permissionsQuery = SELECT permission_name FROM
>         public.ROLES_PERMISSIONS WHERE role_name = ?
>         jdbcRealm.credentialsMatcher = $passwordMatcher
>         jdbcRealm.dataSource=$ds
>         securityManager.realms = $jdbcRealm
>
>     PP
>
>
>     On 01/07/2013 02:41 PM, Paulo Pires wrote:
>>     You can use native Shiro session management or since it's a
>>     webapp, your container session management facilities.
>>
>>     I for one, use Shiro for authentication purposes but rely on the
>>     container for session stuff, since it's easier to clusterize.
>>
>>     Regarding examples, you'll find mine at
>>     https://github.com/pires/simple-shiro-web-app
>>
>>     PP
>>
>>     On Mon 07 Jan 2013 02:37:05 PM WET, sudheer kumar komirishetty
>>     wrote:
>>>     Hi,
>>>
>>>     I am a newbie to Shiro. I would like to know how can achieve
>>>     session
>>>     management for handling SOAP/REST calls.
>>>     Is there any sample project that I can refer ?
>>>
>>>     Thanks in Advance,
>>>     Sudheer.
>>
>>
>
>

Re: Session Management For SOAP/REST APIs

Posted by sudheer kumar komirishetty <ko...@gmail.com>.

Thanks Paulo.

One more question though: For a single REST / SOAP call we could rely on
the container session or native shiro session, but how can we maintain a
session across multiple REST/SOAP calls ? Do we have to write our custom
logic similar to ThreadContext that is provided by Shiro.

Regards,
Sudheer.

On Mon, Jan 7, 2013 at 8:23 PM, Paulo Pires <pj...@ubiwhere.com> wrote:

>  Btw, shiro.ini is a little bit outdated, since I was using Shiro 1.2.0
> which had a bug with password matching, temporarily fixed by Les (
> passwordMatcher = org.apache.shiro.authc.credential.TempFixPasswordMatcher).
> You can change to the original PasswordMatcher as this was fixed in 1.2.1.
>
> Also, I've simplified the datasource configuration in order to use a JDBC
> Resource from my container (through JNDI):
>
> ds = org.apache.shiro.jndi.JndiObjectFactory
> ds.resourceName = jdbc/myDS
>
> ## the actual authentication realm
> jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
> jdbcRealm.permissionsLookupEnabled = true
> jdbcRealm.authenticationQuery = SELECT password FROM public.USERS WHERE
> username = ?
> jdbcRealm.userRolesQuery = SELECT role_name FROM public.USERS_ROLES WHERE
> username = ?
> jdbcRealm.permissionsQuery = SELECT permission_name FROM
> public.ROLES_PERMISSIONS WHERE role_name = ?
> jdbcRealm.credentialsMatcher = $passwordMatcher
> jdbcRealm.dataSource=$ds
> securityManager.realms = $jdbcRealm
>
> PP
>
>
> On 01/07/2013 02:41 PM, Paulo Pires wrote:
>
> You can use native Shiro session management or since it's a webapp, your
> container session management facilities.
>
> I for one, use Shiro for authentication purposes but rely on the container
> for session stuff, since it's easier to clusterize.
>
> Regarding examples, you'll find mine at
> https://github.com/pires/simple-shiro-web-app
>
> PP
>
> On Mon 07 Jan 2013 02:37:05 PM WET, sudheer kumar komirishetty wrote:
>
> Hi,
>
> I am a newbie to Shiro. I would like to know how can achieve session
> management for handling SOAP/REST calls.
> Is there any sample project that I can refer ?
>
> Thanks in Advance,
> Sudheer.
>
>
>
>
>

Re: Session Management For SOAP/REST APIs

Posted by Paulo Pires <pj...@ubiwhere.com>.

Btw, shiro.ini is a little bit outdated, since I was using Shiro 1.2.0 
which had a bug with password matching, temporarily fixed by Les ( 
passwordMatcher=org.apache.shiro.authc.credential.TempFixPasswordMatcher). 
You can change to the original PasswordMatcher as this was fixed in 1.2.1.

Also, I've simplified the datasource configuration in order to use a 
JDBC Resource from my container (through JNDI):

    ds = org.apache.shiro.jndi.JndiObjectFactory
    ds.resourceName = jdbc/myDS

    ## the actual authentication realm
    jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
    jdbcRealm.permissionsLookupEnabled = true
    jdbcRealm.authenticationQuery = SELECT password FROM public.USERS
    WHERE username = ?
    jdbcRealm.userRolesQuery = SELECT role_name FROM public.USERS_ROLES
    WHERE username = ?
    jdbcRealm.permissionsQuery = SELECT permission_name FROM
    public.ROLES_PERMISSIONS WHERE role_name = ?
    jdbcRealm.credentialsMatcher = $passwordMatcher
    jdbcRealm.dataSource=$ds
    securityManager.realms = $jdbcRealm

PP

On 01/07/2013 02:41 PM, Paulo Pires wrote:
> You can use native Shiro session management or since it's a webapp, 
> your container session management facilities.
>
> I for one, use Shiro for authentication purposes but rely on the 
> container for session stuff, since it's easier to clusterize.
>
> Regarding examples, you'll find mine at 
> https://github.com/pires/simple-shiro-web-app
>
> PP
>
> On Mon 07 Jan 2013 02:37:05 PM WET, sudheer kumar komirishetty wrote:
>> Hi,
>>
>> I am a newbie to Shiro. I would like to know how can achieve session
>> management for handling SOAP/REST calls.
>> Is there any sample project that I can refer ?
>>
>> Thanks in Advance,
>> Sudheer.
>
>

Re: Session Management For SOAP/REST APIs

Posted by Paulo Pires <pj...@ubiwhere.com>.

You can use native Shiro session management or since it's a webapp, 
your container session management facilities.

I for one, use Shiro for authentication purposes but rely on the 
container for session stuff, since it's easier to clusterize.

Regarding examples, you'll find mine at 
https://github.com/pires/simple-shiro-web-app

PP

On Mon 07 Jan 2013 02:37:05 PM WET, sudheer kumar komirishetty wrote:
> Hi,
>
> I am a newbie to Shiro. I would like to know how can achieve session
> management for handling SOAP/REST calls.
> Is there any sample project that I can refer ?
>
> Thanks in Advance,
> Sudheer.