You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by kotogadekiru <ko...@gmail.com> on 2014/01/04 00:58:06 UTC
subject.isAuthenticated(); false after a couple of calls. soap ws
Hi,
I have a pretty special setup for shiro and I'm having a problem i can't
solve.
I can login perfectly via soap webservice sending userName and password and
retrieve a sessionId.
Then i can call another webservice wich retrieves the logedIn user (Object)
from the sessionId.
All the permissions are checked and cleared by my SecurityInterceptor and
the responce is successfull. (this method doesn't require authentication)
But when i call the updateUser(sessionId, user) i get a
Subject.isAuthenticated() false in the SecurityInterceptor and have to throw
an AuthenticationException
The subject binding is done by a soapHandler wich retrieves the session
corresponding to the sessionId provided, construct a subject and then bind
it to the threadContext.
I don't understand why i get this erratic behavior from
Subject.isAuthenticated() i don't see any problems while retrieving the
session in the SessionIdHandler (the soap call is not passed to the service
in this case)
It seems to me that subject.isAuthenticated() is false when retrieving a
session by sessionId. Is this so? how can i instruct shiro to keep the state
of authenticated?
The setup: sourceforge_code
<http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/>
Glassfish 4
Ejb webservice/Soap (no web.xml)
Shiro is started in a SecurityProducer @Singleton based on link
<http://czetsuya-tech.blogspot.com.ar/2012/10/how-to-integrate-apache-shiro-with.html#.UsdA_rSJ5Po>
shiro.ini
[main]
filter =com.ursula.beans.auth.shiro.UrsulaFilter
eaoRealm = com.ursula.beans.auth.shiro.EaoRealm
cacheManager=org.apache.shiro.cache.ehcache.EhCacheManager
eaoRealm.cacheManager=$cacheManager
securityManager.realms = $eaoRealm
[urls]
/*=ssl[8181]
//Part of UserBean.java subject is @Injected from the SecurityProducer
public String login(String user, String pass) {
log.info("LoginBean.login");
log.info("procedo a autenticar el usuario user={" + user+ "}, password={"
+ pass +"}");
UserToken token = new UserToken(user, pass);
subject.login(token);//org.apache.shiro.session.UnknownSessionException:
There is no session with id [d59cd917-e734-4ef6-9acc-fbfca1474180]
String sessionId = subject.getSession().getId().toString();
UserToken tk = getTokenLogueado();
Usuario usuario = tk.getUsuario();
subject.getSession().setAttribute(USUARIO_ATTRIBUTE, usuario);
log.info("devuelvo la sessionId: " + sessionId);
return sessionId;
}
/**
* @author Edward P. Legaspi
* @since Oct 10, 2012 Produces an instance of Shiro's subject so that it
can be
* injected.
*/
/**
* Clase que produce un objeto de tipo Subject para que pueda ser injectado
con la anotacion @Inject Subject
* @author Tomas ini
*
*/
@Startup
@Singleton
public class SecurityProducer {
private SecurityManager securityManager;
private Logger log=LoggerFactory.getLogger(SecurityProducer.class);
@PostConstruct
public void init() {
System.out.println("SecurityProducer.init()");
String iniFile
=SecurityInterceptor.class.getResource("/META-INF/shiro.ini").toExternalForm();//ok!
securityManager = new IniSecurityManagerFactory(
iniFile).getInstance();
log.info("Initializing Shiro INI SecurityManager using " + iniFile);
SecurityUtils.setSecurityManager(securityManager);//Esto lo agrega como una
referencia estatica de SecurityUtils. si lo corro mas de una vez se pierden
las sessiones.
}
@Produces
@Named("securityManager")
public SecurityManager getSecurityManager() {
System.out.println("securityManager en SecurityProducer es
"+securityManager);
return securityManager;
}
@Produces
public Subject getSubject() {
return SecurityUtils.getSubject();
}
}
/**
* Handler que se puede agregar a un servcio para que maneje la adjudicacion
de
* una session a un thread cuando se encuentra el paramentro session_id
*
* @author Tomas ini
*
*/
public class SessionIdHandler implements SOAPHandler<SOAPMessageContext> {
static final String META_INF_HANDLERS_XML = "/META-INF/handlers.xml";
private static final String THREAD_STATE = "threadState";
private static final Logger log = LoggerFactory
.getLogger(SessionIdHandler.class);
@EJB @Named("securityManager") SecurityManager securityManager;
public boolean handleMessage(SOAPMessageContext mc) {
log.info("SessionIdHandler.handleMessage()");
Boolean outbound = (Boolean) mc
.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
if (!outbound) {
System.out.println("SessionIdHandler Inbound soap Message");
try {
System.out.println("securityManager en sessionIdHandler es
"+securityManager);
Builder builder = (new Subject.Builder(securityManager));
final SOAPMessage message = mc.getMessage();
final SOAPBody body = message.getSOAPBody();
NodeList element =
body.getElementsByTagName(LoginService.SESSION_ID_PARAM);
if (element.item(0) != null) {//si tiene el parametro sessionId
System.out.println("SessionIdHandler Message has sessionId param");
String sessionId = element.item(0).getTextContent();
try{//trato de recuperar la session a partir del sessionId
SessionKey sK = new DefaultSessionKey(sessionId);
Session session = securityManager.getSession(sK);
if(session == null){
System.out.println("Session does not exist");
return false;
} else {//la session se creo correctamente
System.out.println("OK Session recovered succesfully!!");
builder.sessionCreationEnabled(false);
builder.session(session);
}
}catch(SessionException se){//no se pudo crear la session a partir del
session id
System.out.println("securityManager.getSession(sK); produced
SessionException "+se.getClass().getSimpleName()+" "+ se.getMessage());
return false;
}
} else {//si no tiene el parametro sessionId
System.out.println("SessionIdHandler Message doesn't have sessionId
param");
System.out.println("binding a new subject to the thread");
builder.sessionCreationEnabled(true);
}
//a partir de aca tengo el builder configurado para crear un subject. ya
sea a partir de una session existente o creando una nueva.
Subject subject = builder.buildSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();
mc.put(THREAD_STATE, threadState);// pongo el threadstate en el context
para liberarlo a la salida
} catch (SOAPException e) {
log.info("SOAPException = " + e.getMessage());
return false;
}
} else {// Cuando el mensaje es de salida aprobecho para limpiar el
threadstate.
ThreadState threadState = (ThreadState) mc.get(THREAD_STATE);
if (threadState != null) {
System.out.println("limpiando el threadstate "+threadState);
// threadState.clear();
}
}
return true;
}
public Set<QName> getHeaders() {
return Collections.emptySet(); }
public void close(MessageContext mc) { }
public boolean handleFault(SOAPMessageContext mc) {
System.out.println("SessionIdHandler.handleFault");
return true;
}
}
@Stateless
@LocalBean// esto hace que implemente la interfaz no view
@WebService
@HandlerChain(file = SessionIdHandler.META_INF_HANDLERS_XML)// ok!
public class LoginService {
// constante que usa el handler para leer el mensaje y vincular el usuario
// con el thread debe ser igual que @WebParam(name="session_id")
public static final String SESSION_ID_PARAM = "session_id";
@EJB UserBean uBean;
/**
* Default constructor.
*/
public LoginService() {
}
/**
* @return sessionId debe ser el primer parametro de todas las otras
* consultas o pasado como atributo de la consulta.
* @throws ServiceException
*/
public String login(@WebParam(name = "user") String user,
@WebParam(name = "pass") String pass) throws ServiceException {
if (uBean != null) {
String resp = "no se puede loguear";
try {
resp = uBean.login(user, pass);
} catch (Exception e) {
resp = "excepcion";
e.printStackTrace();
throw new ServiceException("AuthenticationException",e);
}
return resp;
}
return "no uBean";
}
public String logout(@WebParam(name = SESSION_ID_PARAM) String session_id)
{
return uBean.logout();
}
/**
* se carga un user_pass_mail_token con fecha de vencimiento y un usr_id en
* blanco; estado = solicitud
*/
public boolean requestUserToken(
@WebParam(name = "usr_name") String usr_name,
@WebParam(name = "usr_mail") String usr_mail,
@WebParam(name = "locale") Locale locale) {
UserToken token = new UserToken();
token.setUsrName(usr_name);
token.setUsrMail(usr_mail);
token.setLocale(locale);
if (uBean != null) {
uBean.requestUserToken(token);
}
return true;
}
public UserToken getUserToken(@WebParam(name =
LoginService.SESSION_ID_PARAM) String session_id) {
return null;
}
/**
* metodo que permite al usuari cambiar su token de acceso por uno nuevo
* @param session_id
* @param user
* @param pass
* @return true si se pudo cambiar el token
*/
public Boolean updateToken(@WebParam(name = LoginService.SESSION_ID_PARAM)
String session_id,
@WebParam(name = "user") String user,
@WebParam(name = "pass") String pass) {
final UserToken token = new UserToken();
token.setUsrName(user);
token.setUsrPass(pass);
uBean.updateToken(token);
return true;
}
}
/**
* @author Edward P. Legaspi
* @since Oct 10, 2012
*
*/
/**
* clase a la que se llama cuando se invoca un metodo anotado @Secured la
misma
* verifica que el Subject invocante tenga los permisos requeridos por el
metodo
*
* solo puede interceptar beans normales nada de webservices o webservlets..
* etc, para eso estan los filters
*
* @author Tomas ini
*
*/
@Secured
@Interceptor
public class SecurityInterceptor {
@Inject
private Subject subject;
private Logger log = LoggerFactory.getLogger(SecurityInterceptor.class);
@AroundInvoke
public Object interceptGet(InvocationContext ctx) throws Exception {
subject = SecurityUtils.getSubject();
final Class<? extends Object> runtimeClass = ctx.getTarget().getClass();
// Check if user is authenticated
boolean requiresAuthentication = false;
try { // check method first
Annotation a = ctx.getMethod().getAnnotation(
RequiresAuthentication.class);
if (a != null) {
requiresAuthentication = true;
}
} catch (NullPointerException e) {
requiresAuthentication = false;
}
if (!requiresAuthentication) { // then check class level
try {
if (runtimeClass != null) {
Annotation a = runtimeClass
.getAnnotation(RequiresAuthentication.class);
if (a != null) {
requiresAuthentication = true;
}
} else {
throw (new NullPointerException());
}
} catch (NullPointerException e) {
requiresAuthentication = false;
}
}
if (requiresAuthentication) {
log.info("[security] checking for authenticated user.");
try {
if (!subject.isAuthenticated()) {//THIS FAILS SOMETIMES
System.out.println("subject.isAuthenticated es false entoces respondo
AuthorizationException");
log.info("[security] user not authenticated.");
throw new AuthorizationException();
}else{
log.info("OK!! subject is authenticated");
}
} catch (Exception e) {
log.info("Access denied - {}: {}" + e.getClass().getName()
+ e.getMessage());
throw e;
}
}
/************************************************************/
// check if user has roles
boolean requiresRoles = false;
List<String> listOfRoles = null;
try { // check method first
RequiresRoles roles = ctx.getMethod().getAnnotation(
RequiresRoles.class);
listOfRoles = Arrays.asList(roles.value());
requiresRoles = true;
} catch (NullPointerException e) {
requiresRoles = false;
}
if (!requiresRoles || listOfRoles == null) { // check class
try {
RequiresRoles roles = runtimeClass
.getAnnotation(RequiresRoles.class);
listOfRoles = Arrays.asList(roles.value());
requiresRoles = true;
} catch (NullPointerException e) {
requiresRoles = false;
}
}
if (requiresRoles && listOfRoles != null) {
log.info("[security] checking for roles.");
try {
boolean[] boolRoles = subject.hasRoles(listOfRoles);
boolean roleVerified = false;
for (boolean b : boolRoles) {
if (b) {
roleVerified = true;
break;
}
}
if (!roleVerified) {
throw new javax.ejb.EJBException(
"Access denied. User doesn't have enough privilege Roles:"
+ listOfRoles + " to access this page.");
}
} catch (Exception e) {
log.info("Access denied - {}: {}" + e.getClass().getName()
+ e.getMessage());
throw e;
}
}
/************************************************************/
// and lastly check for permissions
boolean requiresPermissions = false;
List<String> listOfPermissionsString = null;
try { // check method first
RequiresPermissions permissions = ctx.getMethod().getAnnotation(
RequiresPermissions.class);
listOfPermissionsString = Arrays.asList(permissions.value());
requiresPermissions = true;
} catch (NullPointerException e) {
requiresPermissions = false;
}
if (!requiresPermissions || listOfPermissionsString == null) {
// check class
try {
RequiresPermissions permissions = runtimeClass
.getAnnotation(RequiresPermissions.class);
listOfPermissionsString = Arrays.asList(permissions.value());
requiresPermissions = true;
} catch (NullPointerException e) {
requiresPermissions = false;
}
}
if (requiresPermissions && listOfPermissionsString != null) {
log.info("[security] checking for permissions.");
List<Permission> listOfPermissions = new ArrayList<Permission>();
for (String p : listOfPermissionsString) {
listOfPermissions.add((Permission) new WildcardPermission(p));
}
try {
boolean[] boolPermissions = subject
.isPermitted(listOfPermissions);
boolean permitted = false;
for (boolean b : boolPermissions) {
if (b) {
permitted = true;
break;
}
}
if (!permitted) {
throw new AuthorizationException(
"Access denied. User doesn't have enough privilege Permissions:"
+ listOfRoles + " to access this page.");
}
} catch (Exception e) {
log.info("Access denied - {}: {}" + e.getClass().getName()
+ e.getMessage());
throw e;
}
}
return ctx.proceed();
}
}
2014-01-03T19:36:18.876-0300|Info: lgBean not null
2014-01-03T19:36:18.877-0300|Info: SecurityProducer.init()
2014-01-03T19:36:18.879-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.shiro.EaoRealm - construyendo EaoRealm
2014-01-03T19:36:18.879-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.shiro.EaoRealm - termine de construir EaoRealm
2014-01-03T19:36:19.933-0300|Severe: [http-listener-1(4)] INFO
org.apache.shiro.cache.ehcache.EhCacheManager - Cache with name
'eaoRealm.authorizationCache' does not yet exist. Creating now.
2014-01-03T19:36:19.966-0300|Severe: [http-listener-1(4)] INFO
org.apache.shiro.cache.ehcache.EhCacheManager - Added EhCache named
[eaoRealm.authorizationCache]
2014-01-03T19:36:19.990-0300|Severe: [http-listener-1(4)] INFO
org.apache.shiro.config.IniSecurityManagerFactory - Realms have been
explicitly set on the SecurityManager instance - auto-setting of realms will
not occur.
2014-01-03T19:36:19.990-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.shiroee6.SecurityProducer - Initializing Shiro INI
SecurityManager using file:/C:/Program
Files/glassfish_4/glassfish4/glassfish/domains/domain1/eclipseApps/UrsulaServerEAR/UrsulaEJB_jar/META-INF/shiro.ini
2014-01-03T19:36:20.004-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - LoginBean.login
2014-01-03T19:36:20.004-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - procedo a autenticar el usuario
user={tomas}, password={111222}
2014-01-03T19:36:20.008-0300|Info: buscando tokens activos en
UserTokenController
2014-01-03T19:36:20.019-0300|Info: EclipseLink, version: Eclipse Persistence
Services - 2.5.0.v20130507-3faac2b
2014-01-03T19:36:20.389-0300|Info: file:/C:/Program
Files/glassfish_4/glassfish4/glassfish/domains/domain1/eclipseApps/UrsulaServerEAR/UrsulaEJB_jar/_UrsulaPU
login successful
2014-01-03T19:36:20.564-0300|Severe: [http-listener-1(4)] INFO
com.ursula.eao.usuario.UserTokenController - encontre tomas
2014-01-03T19:36:20.583-0300|Severe: [http-listener-1(4)] INFO
org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling
session validation scheduler...
2014-01-03T19:36:20.590-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado
subject=org.apache.shiro.subject.support.DelegatingSubject@2f31141
2014-01-03T19:36:20.590-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado username=tomas
2014-01-03T19:36:20.590-0300|Info: buscando tokens activos en
UserTokenController
2014-01-03T19:36:20.631-0300|Severe: [http-listener-1(4)] INFO
com.ursula.eao.usuario.UserTokenController - encontre tomas
2014-01-03T19:36:20.651-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - devuelvo la sessionId:
30bf20a4-5226-4ddb-be1e-bfe564d48542
2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - devuelvo el usuario de la session
2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado
subject=org.apache.shiro.subject.support.DelegatingSubject@2f31141
2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO
com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado username=tomas
2014-01-03T19:36:33.195-0300|Info: buscando tokens activos en
UserTokenController
2014-01-03T19:36:33.201-0300|Severe: [http-listener-1(4)] INFO
com.ursula.eao.usuario.UserTokenController - encontre tomas
2014-01-03T19:36:38.147-0300|Info: updateUsuarioLogueado Tomas3
2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO
com.ursula.beans.auth.shiroee6.SecurityInterceptor - [security] checking for
authenticated user.
2014-01-03T19:36:38.148-0300|Info: subject.isAuthenticated es false entoces
respondo AuthorizationException
2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO
com.ursula.beans.auth.shiroee6.SecurityInterceptor - [security] user not
authenticated.
2014-01-03T19:36:38.148-0300|Warning: EJB5184:A system exception occurred
during an invocation on EJB UserBean, method: public boolean
com.ursula.beans.auth.UserBean.updateUsuario(com.ursula.entity.jaas.Usuario)
throws org.apache.shiro.authz.AuthorizationException
2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO
com.ursula.beans.auth.shiroee6.SecurityInterceptor - Access denied - {}:
{}org.apache.shiro.authz.AuthorizationExceptionnull
2014-01-03T19:36:38.149-0300|Warning:
javax.ejb.TransactionRolledbackLocalException: Exception thrown from bean
at
com.sun.ejb.containers.EJBContainerTransactionManager.checkExceptionClientTx(EJBContainerTransactionManager.java:662)
at
com.sun.ejb.containers.EJBContainerTransactionManager.postInvokeTx(EJBContainerTransactionManager.java:507)
at
com.sun.ejb.containers.BaseContainer.postInvokeTx(BaseContainer.java:4475)
at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:2009)
at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:1979)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:220)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88)
at $Proxy288.updateUsuario(Unknown Source)
at
com.ursula.beans.auth.__EJB31_Generated__UserBean__Intf____Bean__.updateUsuario(Unknown
Source)
at
com.ursula.service.UsuarioService.updateUsuarioLogueado(UsuarioService.java:58)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1081)
at
org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1153)
at
com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4695)
at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:630)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
at
org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:55)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
at
com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:369)
at
com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:4667)
at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4655)
at
com.sun.ejb.containers.WebServiceInvocationHandler.invoke(WebServiceInvocationHandler.java:193)
at $Proxy223.updateUsuarioLogueado(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.glassfish.webservices.InvokerImpl.invoke(InvokerImpl.java:82)
at org.glassfish.webservices.EjbInvokerImpl.invoke(EjbInvokerImpl.java:82)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:149)
at
com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:88)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
at
com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:136)
at
org.glassfish.webservices.MonitoringPipe.process(MonitoringPipe.java:142)
at
com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
at
com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:136)
at
com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:210)
at
com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:142)
at
com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:420)
at
com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:687)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:266)
at
com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:169)
at
org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:110)
at
org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:80)
at
org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:203)
at
org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:242)
at
org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:193)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:246)
at
org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at
org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at
org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at
org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at
org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at
org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at
org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.shiro.authz.AuthorizationException
at
com.ursula.beans.auth.shiroee6.SecurityInterceptor.interceptGet(SecurityInterceptor.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
at
org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:46)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163)
at
com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at
com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
at
com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
at
com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:369)
at
com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:4667)
at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4655)
at
com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212)
... 91 more
--
View this message in context: http://shiro-user.582556.n2.nabble.com/subject-isAuthenticated-false-after-a-couple-of-calls-soap-ws-tp7579490.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: subject.isAuthenticated(); false after a couple of calls. soap ws
Posted by Tomas Lund Petersen <ko...@gmail.com>.
Hi,
I finally managed to sort this out. seems like i had a problem in my
SessionIdHandler deployment. The error message was burried under a ton of
unrelated warings so i didn't see it.
firt it was a constructor witch seems to break the SoapHandler for some
reason. And then i had to sort out the correct initialization for shiro
because injection also caused a deployment error. I think it's becaus soap
handlers work on a diferent context than ejb.
I had to Initialize shiro directly on my soap handler method, so i ended
with an ugly code that works.
public class SessionIdHandler implements SOAPHandler<SOAPMessageContext> {
static final String META_INF_HANDLERS_XML = "/META-INF/handlers.xml";
private static final String THREAD_STATE = "threadState";
private static final Logger log =
LoggerFactory.getLogger(SessionIdHandler.class);
public static SecurityManager securityManager = null;
/**
* SOAP Request
*
* <?xml version="1.0" encoding="UTF-8"?><S:Envelope
* xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> <S:Header/>
<S:Body>
* <ns2:logout xmlns:ns2="http://service.ursula.com/">
* <session_id>14f92165-64bd-4783-b111-7945012dd607</session_id>
* </ns2:logout> </S:Body> </S:Envelope>
*/
public boolean handleMessage(SOAPMessageContext mc) {
if(securityManager == null){
String iniFile =SecurityInterceptor.class.
getResource("/META-INF/shiro.ini").toExternalForm();
securityManager = new
IniSecurityManagerFactory(iniFile).getInstance();
SecurityUtils.setSecurityManager(securityManager);
}
Boolean outbound = (Boolean) mc
.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
if (!outbound) {
try {
Builder builder = (new Subject.Builder(securityManager));
final SOAPMessage message = mc.getMessage();
final SOAPBody body = message.getSOAPBody();
NodeList element =
body.getElementsByTagName(LoginService.SESSION_ID_PARAM);
if (element.item(0) != null) {
String sessionId =
element.item(0).getTextContent();
try{
SessionKey sK = new DefaultSessionKey(sessionId);
Session session = securityManager.getSession(sK);
if(session == null){
return false;
} else {
System.out.println("OK Session recovered
succesfully!!");
builder.sessionCreationEnabled(false);
builder.session(session);
}
}catch(SessionException se){
return false;
}
} else {
builder.sessionCreationEnabled(true);
}
Subject subject = builder.buildSubject();
ThreadState threadState = new SubjectThreadState(subject);
threadState.bind();
mc.put(THREAD_STATE, threadState);
} catch (SOAPException e) {
log.info("SOAPException = " + e.getMessage());
return false;
}
} else {
ThreadState threadState = (ThreadState) mc.get(THREAD_STATE);
if (threadState != null) {
threadState.clear();
}
}
return true;
}
public Set<QName> getHeaders() {
return Collections.emptySet();
}
public void close(MessageContext mc) {
}
public boolean handleFault(SOAPMessageContext mc) {
System.out.println("SessionIdHandler.handleFault");
return true;
}
}
@Startup
@Singleton
public class SecurityProducer {
private SecurityManager securityManager;
private Logger log=LoggerFactory.getLogger(SecurityProducer.class);
@PostConstruct
public void init() {
if( SessionIdHandler.securityManager == null){
String iniFile
=SecurityInterceptor.class.getResource("/META-INF/shiro.ini").toExternalForm();//ok!
securityManager = new
IniSecurityManagerFactory(iniFile).getInstance();
log.info("Initializing Shiro INI SecurityManager using " +
iniFile);
SecurityUtils.setSecurityManager(securityManager);
SessionIdHandler.securityManager=securityManager;
} else {
securityManager = SessionIdHandler.securityManager;
}
}
@Produces
@Named("securityManager")
public SecurityManager getSecurityManager() {
return securityManager;
}
@Produces
public Subject getSubject() {
return SecurityUtils.getSubject();
}
}
On Fri, Jan 3, 2014 at 8:58 PM, kotogadekiru <ko...@gmail.com> wrote:
> Hi,
> I have a pretty special setup for shiro and I'm having a problem i can't
> solve.
> I can login perfectly via soap webservice sending userName and password and
> retrieve a sessionId.
> Then i can call another webservice wich retrieves the logedIn user (Object)
> from the sessionId.
> All the permissions are checked and cleared by my SecurityInterceptor and
> the responce is successfull. (this method doesn't require authentication)
> But when i call the updateUser(sessionId, user) i get a
> Subject.isAuthenticated() false in the SecurityInterceptor and have to
> throw
> an AuthenticationException
>
> The subject binding is done by a soapHandler wich retrieves the session
> corresponding to the sessionId provided, construct a subject and then bind
> it to the threadContext.
>
> I don't understand why i get this erratic behavior from
> Subject.isAuthenticated() i don't see any problems while retrieving the
> session in the SessionIdHandler (the soap call is not passed to the service
> in this case)
>
> It seems to me that subject.isAuthenticated() is false when retrieving a
> session by sessionId. Is this so? how can i instruct shiro to keep the
> state
> of authenticated?
>
> The setup: sourceforge_code
> <
> http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/
> >
> Glassfish 4
> Ejb webservice/Soap (no web.xml)
> Shiro is started in a SecurityProducer @Singleton based on link
> <
> http://czetsuya-tech.blogspot.com.ar/2012/10/how-to-integrate-apache-shiro-with.html#.UsdA_rSJ5Po
> >
>
> shiro.ini
> [main]
> filter =com.ursula.beans.auth.shiro.UrsulaFilter
> eaoRealm = com.ursula.beans.auth.shiro.EaoRealm
> cacheManager=org.apache.shiro.cache.ehcache.EhCacheManager
> eaoRealm.cacheManager=$cacheManager
> securityManager.realms = $eaoRealm
> [urls]
> /*=ssl[8181]
>
> //Part of UserBean.java subject is @Injected from the SecurityProducer
> public String login(String user, String pass) {
> log.info("LoginBean.login");
> log.info("procedo a autenticar el usuario user={" + user+
> "}, password={"
> + pass +"}");
>
> UserToken token = new UserToken(user, pass);
>
> subject.login(token);//org.apache.shiro.session.UnknownSessionException:
> There is no session with id [d59cd917-e734-4ef6-9acc-fbfca1474180]
> String sessionId = subject.getSession().getId().toString();
> UserToken tk = getTokenLogueado();
> Usuario usuario = tk.getUsuario();
> subject.getSession().setAttribute(USUARIO_ATTRIBUTE,
> usuario);
> log.info("devuelvo la sessionId: " + sessionId);
> return sessionId;
> }
>
> /**
> * @author Edward P. Legaspi
> * @since Oct 10, 2012 Produces an instance of Shiro's subject so that it
> can be
> * injected.
> */
>
> /**
> * Clase que produce un objeto de tipo Subject para que pueda ser injectado
> con la anotacion @Inject Subject
> * @author Tomas ini
> *
> */
> @Startup
> @Singleton
> public class SecurityProducer {
>
> private SecurityManager securityManager;
> private Logger log=LoggerFactory.getLogger(SecurityProducer.class);
>
> @PostConstruct
> public void init() {
> System.out.println("SecurityProducer.init()");
> String iniFile
>
> =SecurityInterceptor.class.getResource("/META-INF/shiro.ini").toExternalForm();//ok!
> securityManager = new IniSecurityManagerFactory(
> iniFile).getInstance();
> log.info("Initializing Shiro INI SecurityManager using " +
> iniFile);
> SecurityUtils.setSecurityManager(securityManager);//Esto lo agrega
> como una
> referencia estatica de SecurityUtils. si lo corro mas de una vez se pierden
> las sessiones.
> }
>
> @Produces
> @Named("securityManager")
> public SecurityManager getSecurityManager() {
> System.out.println("securityManager en SecurityProducer es
> "+securityManager);
> return securityManager;
> }
>
> @Produces
> public Subject getSubject() {
> return SecurityUtils.getSubject();
> }
> }
>
> /**
> * Handler que se puede agregar a un servcio para que maneje la
> adjudicacion
> de
> * una session a un thread cuando se encuentra el paramentro session_id
> *
> * @author Tomas ini
> *
> */
> public class SessionIdHandler implements SOAPHandler<SOAPMessageContext> {
> static final String META_INF_HANDLERS_XML =
> "/META-INF/handlers.xml";
>
> private static final String THREAD_STATE = "threadState";
> private static final Logger log = LoggerFactory
> .getLogger(SessionIdHandler.class);
>
> @EJB @Named("securityManager") SecurityManager securityManager;
>
> public boolean handleMessage(SOAPMessageContext mc) {
> log.info("SessionIdHandler.handleMessage()");
> Boolean outbound = (Boolean) mc
>
> .get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
> if (!outbound) {
> System.out.println("SessionIdHandler Inbound soap
> Message");
> try {
> System.out.println("securityManager en
> sessionIdHandler es
> "+securityManager);
> Builder builder = (new
> Subject.Builder(securityManager));
>
> final SOAPMessage message =
> mc.getMessage();
> final SOAPBody body =
> message.getSOAPBody();
> NodeList element =
> body.getElementsByTagName(LoginService.SESSION_ID_PARAM);
>
> if (element.item(0) != null) {//si tiene
> el parametro sessionId
>
> System.out.println("SessionIdHandler Message has sessionId param");
> String sessionId =
> element.item(0).getTextContent();
>
> try{//trato de recuperar la
> session a partir del sessionId
> SessionKey sK = new
> DefaultSessionKey(sessionId);
> Session session =
> securityManager.getSession(sK);
> if(session == null){
>
> System.out.println("Session does not exist");
> return false;
> } else {//la session se creo
> correctamente
> System.out.println("OK
> Session recovered succesfully!!");
>
> builder.sessionCreationEnabled(false);
> builder.session(session);
> }
> }catch(SessionException se){//no
> se pudo crear la session a partir del
> session id
>
> System.out.println("securityManager.getSession(sK); produced
> SessionException "+se.getClass().getSimpleName()+" "+ se.getMessage());
> return false;
> }
> } else {//si no tiene el parametro
> sessionId
>
> System.out.println("SessionIdHandler Message doesn't have sessionId
> param");
> System.out.println("binding a new
> subject to the thread");
>
> builder.sessionCreationEnabled(true);
> }
> //a partir de aca tengo el builder
> configurado para crear un subject. ya
> sea a partir de una session existente o creando una nueva.
> Subject subject = builder.buildSubject();
>
> ThreadState threadState = new
> SubjectThreadState(subject);
> threadState.bind();
> mc.put(THREAD_STATE, threadState);// pongo
> el threadstate en el context
> para liberarlo a la salida
> } catch (SOAPException e) {
> log.info("SOAPException = " +
> e.getMessage());
> return false;
> }
> } else {// Cuando el mensaje es de salida aprobecho para
> limpiar el
> threadstate.
> ThreadState threadState = (ThreadState)
> mc.get(THREAD_STATE);
> if (threadState != null) {
> System.out.println("limpiando el
> threadstate "+threadState);
> // threadState.clear();
> }
> }
> return true;
> }
>
> public Set<QName> getHeaders() {
> return Collections.emptySet(); }
>
> public void close(MessageContext mc) { }
>
> public boolean handleFault(SOAPMessageContext mc) {
> System.out.println("SessionIdHandler.handleFault");
> return true;
> }
> }
>
>
> @Stateless
> @LocalBean// esto hace que implemente la interfaz no view
> @WebService
> @HandlerChain(file = SessionIdHandler.META_INF_HANDLERS_XML)// ok!
> public class LoginService {
> // constante que usa el handler para leer el mensaje y vincular el
> usuario
> // con el thread debe ser igual que @WebParam(name="session_id")
> public static final String SESSION_ID_PARAM = "session_id";
>
> @EJB UserBean uBean;
> /**
> * Default constructor.
> */
> public LoginService() {
> }
>
> /**
> * @return sessionId debe ser el primer parametro de todas las
> otras
> * consultas o pasado como atributo de la consulta.
> * @throws ServiceException
> */
>
> public String login(@WebParam(name = "user") String user,
> @WebParam(name = "pass") String pass) throws
> ServiceException {
> if (uBean != null) {
> String resp = "no se puede loguear";
> try {
> resp = uBean.login(user, pass);
> } catch (Exception e) {
> resp = "excepcion";
> e.printStackTrace();
> throw new
> ServiceException("AuthenticationException",e);
> }
> return resp;
> }
> return "no uBean";
> }
>
> public String logout(@WebParam(name = SESSION_ID_PARAM) String
> session_id)
> {
> return uBean.logout();
> }
>
> /**
> * se carga un user_pass_mail_token con fecha de vencimiento y un
> usr_id en
> * blanco; estado = solicitud
> */
> public boolean requestUserToken(
> @WebParam(name = "usr_name") String usr_name,
> @WebParam(name = "usr_mail") String usr_mail,
> @WebParam(name = "locale") Locale locale) {
> UserToken token = new UserToken();
> token.setUsrName(usr_name);
> token.setUsrMail(usr_mail);
> token.setLocale(locale);
> if (uBean != null) {
> uBean.requestUserToken(token);
> }
> return true;
> }
>
> public UserToken getUserToken(@WebParam(name =
> LoginService.SESSION_ID_PARAM) String session_id) {
> return null;
> }
>
> /**
> * metodo que permite al usuari cambiar su token de acceso por uno nuevo
> * @param session_id
> * @param user
> * @param pass
> * @return true si se pudo cambiar el token
> */
> public Boolean updateToken(@WebParam(name =
> LoginService.SESSION_ID_PARAM)
> String session_id,
> @WebParam(name = "user") String user,
> @WebParam(name = "pass") String pass) {
> final UserToken token = new UserToken();
> token.setUsrName(user);
> token.setUsrPass(pass);
> uBean.updateToken(token);
> return true;
> }
> }
>
> /**
> * @author Edward P. Legaspi
> * @since Oct 10, 2012
> *
> */
>
> /**
> * clase a la que se llama cuando se invoca un metodo anotado @Secured la
> misma
> * verifica que el Subject invocante tenga los permisos requeridos por el
> metodo
> *
> * solo puede interceptar beans normales nada de webservices o
> webservlets..
> * etc, para eso estan los filters
> *
> * @author Tomas ini
> *
> */
>
> @Secured
> @Interceptor
> public class SecurityInterceptor {
> @Inject
> private Subject subject;
> private Logger log =
> LoggerFactory.getLogger(SecurityInterceptor.class);
>
>
>
> @AroundInvoke
> public Object interceptGet(InvocationContext ctx) throws Exception
> {
> subject = SecurityUtils.getSubject();
>
> final Class<? extends Object> runtimeClass =
> ctx.getTarget().getClass();
>
> // Check if user is authenticated
> boolean requiresAuthentication = false;
> try { // check method first
> Annotation a = ctx.getMethod().getAnnotation(
> RequiresAuthentication.class);
> if (a != null) {
> requiresAuthentication = true;
> }
>
> } catch (NullPointerException e) {
> requiresAuthentication = false;
> }
>
> if (!requiresAuthentication) { // then check class level
> try {
> if (runtimeClass != null) {
> Annotation a = runtimeClass
>
> .getAnnotation(RequiresAuthentication.class);
> if (a != null) {
> requiresAuthentication =
> true;
> }
> } else {
> throw (new NullPointerException());
> }
> } catch (NullPointerException e) {
> requiresAuthentication = false;
> }
> }
> if (requiresAuthentication) {
> log.info("[security] checking for authenticated
> user.");
> try {
> if (!subject.isAuthenticated()) {//THIS
> FAILS SOMETIMES
>
> System.out.println("subject.isAuthenticated es false entoces respondo
> AuthorizationException");
> log.info("[security] user not
> authenticated.");
> throw new AuthorizationException();
> }else{
> log.info("OK!! subject is
> authenticated");
> }
> } catch (Exception e) {
> log.info("Access denied - {}: {}" +
> e.getClass().getName()
> + e.getMessage());
> throw e;
> }
> }
>
> /************************************************************/
>
> // check if user has roles
> boolean requiresRoles = false;
> List<String> listOfRoles = null;
>
> try { // check method first
> RequiresRoles roles =
> ctx.getMethod().getAnnotation(
> RequiresRoles.class);
> listOfRoles = Arrays.asList(roles.value());
> requiresRoles = true;
> } catch (NullPointerException e) {
> requiresRoles = false;
> }
>
> if (!requiresRoles || listOfRoles == null) { // check class
> try {
> RequiresRoles roles = runtimeClass
>
> .getAnnotation(RequiresRoles.class);
> listOfRoles = Arrays.asList(roles.value());
> requiresRoles = true;
> } catch (NullPointerException e) {
> requiresRoles = false;
> }
> }
>
> if (requiresRoles && listOfRoles != null) {
> log.info("[security] checking for roles.");
> try {
> boolean[] boolRoles =
> subject.hasRoles(listOfRoles);
> boolean roleVerified = false;
> for (boolean b : boolRoles) {
> if (b) {
> roleVerified = true;
> break;
> }
> }
> if (!roleVerified) {
> throw new javax.ejb.EJBException(
> "Access denied.
> User doesn't have enough privilege Roles:"
> +
> listOfRoles + " to access this page.");
> }
> } catch (Exception e) {
> log.info("Access denied - {}: {}" +
> e.getClass().getName()
> + e.getMessage());
> throw e;
> }
> }
>
> /************************************************************/
>
> // and lastly check for permissions
> boolean requiresPermissions = false;
> List<String> listOfPermissionsString = null;
>
> try { // check method first
> RequiresPermissions permissions =
> ctx.getMethod().getAnnotation(
> RequiresPermissions.class);
> listOfPermissionsString =
> Arrays.asList(permissions.value());
> requiresPermissions = true;
> } catch (NullPointerException e) {
> requiresPermissions = false;
> }
>
> if (!requiresPermissions || listOfPermissionsString ==
> null) {
> // check class
> try {
> RequiresPermissions permissions =
> runtimeClass
>
> .getAnnotation(RequiresPermissions.class);
> listOfPermissionsString =
> Arrays.asList(permissions.value());
> requiresPermissions = true;
> } catch (NullPointerException e) {
> requiresPermissions = false;
> }
> }
>
> if (requiresPermissions && listOfPermissionsString !=
> null) {
> log.info("[security] checking for permissions.");
> List<Permission> listOfPermissions = new
> ArrayList<Permission>();
> for (String p : listOfPermissionsString) {
> listOfPermissions.add((Permission) new
> WildcardPermission(p));
> }
> try {
> boolean[] boolPermissions = subject
>
> .isPermitted(listOfPermissions);
> boolean permitted = false;
> for (boolean b : boolPermissions) {
> if (b) {
> permitted = true;
> break;
> }
> }
> if (!permitted) {
> throw new AuthorizationException(
> "Access denied.
> User doesn't have enough privilege Permissions:"
> +
> listOfRoles + " to access this page.");
> }
> } catch (Exception e) {
> log.info("Access denied - {}: {}" +
> e.getClass().getName()
> + e.getMessage());
> throw e;
> }
> }
> return ctx.proceed();
> }
> }
>
>
> 2014-01-03T19:36:18.876-0300|Info: lgBean not null
> 2014-01-03T19:36:18.877-0300|Info: SecurityProducer.init()
> 2014-01-03T19:36:18.879-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.shiro.EaoRealm - construyendo EaoRealm
> 2014-01-03T19:36:18.879-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.shiro.EaoRealm - termine de construir EaoRealm
> 2014-01-03T19:36:19.933-0300|Severe: [http-listener-1(4)] INFO
> org.apache.shiro.cache.ehcache.EhCacheManager - Cache with name
> 'eaoRealm.authorizationCache' does not yet exist. Creating now.
> 2014-01-03T19:36:19.966-0300|Severe: [http-listener-1(4)] INFO
> org.apache.shiro.cache.ehcache.EhCacheManager - Added EhCache named
> [eaoRealm.authorizationCache]
> 2014-01-03T19:36:19.990-0300|Severe: [http-listener-1(4)] INFO
> org.apache.shiro.config.IniSecurityManagerFactory - Realms have been
> explicitly set on the SecurityManager instance - auto-setting of realms
> will
> not occur.
> 2014-01-03T19:36:19.990-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.shiroee6.SecurityProducer - Initializing Shiro INI
> SecurityManager using file:/C:/Program
>
> Files/glassfish_4/glassfish4/glassfish/domains/domain1/eclipseApps/UrsulaServerEAR/UrsulaEJB_jar/META-INF/shiro.ini
> 2014-01-03T19:36:20.004-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - LoginBean.login
> 2014-01-03T19:36:20.004-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - procedo a autenticar el usuario
> user={tomas}, password={111222}
> 2014-01-03T19:36:20.008-0300|Info: buscando tokens activos en
> UserTokenController
> 2014-01-03T19:36:20.019-0300|Info: EclipseLink, version: Eclipse
> Persistence
> Services - 2.5.0.v20130507-3faac2b
> 2014-01-03T19:36:20.389-0300|Info: file:/C:/Program
>
> Files/glassfish_4/glassfish4/glassfish/domains/domain1/eclipseApps/UrsulaServerEAR/UrsulaEJB_jar/_UrsulaPU
> login successful
> 2014-01-03T19:36:20.564-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.eao.usuario.UserTokenController - encontre tomas
> 2014-01-03T19:36:20.583-0300|Severe: [http-listener-1(4)] INFO
> org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling
> session validation scheduler...
> 2014-01-03T19:36:20.590-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado
> subject=org.apache.shiro.subject.support.DelegatingSubject@2f31141
> 2014-01-03T19:36:20.590-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado username=tomas
> 2014-01-03T19:36:20.590-0300|Info: buscando tokens activos en
> UserTokenController
> 2014-01-03T19:36:20.631-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.eao.usuario.UserTokenController - encontre tomas
> 2014-01-03T19:36:20.651-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - devuelvo la sessionId:
> 30bf20a4-5226-4ddb-be1e-bfe564d48542
> 2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - devuelvo el usuario de la session
> 2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado
> subject=org.apache.shiro.subject.support.DelegatingSubject@2f31141
> 2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado username=tomas
> 2014-01-03T19:36:33.195-0300|Info: buscando tokens activos en
> UserTokenController
> 2014-01-03T19:36:33.201-0300|Severe: [http-listener-1(4)] INFO
> com.ursula.eao.usuario.UserTokenController - encontre tomas
> 2014-01-03T19:36:38.147-0300|Info: updateUsuarioLogueado Tomas3
> 2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO
> com.ursula.beans.auth.shiroee6.SecurityInterceptor - [security] checking
> for
> authenticated user.
> 2014-01-03T19:36:38.148-0300|Info: subject.isAuthenticated es false entoces
> respondo AuthorizationException
> 2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO
> com.ursula.beans.auth.shiroee6.SecurityInterceptor - [security] user not
> authenticated.
> 2014-01-03T19:36:38.148-0300|Warning: EJB5184:A system exception occurred
> during an invocation on EJB UserBean, method: public boolean
>
> com.ursula.beans.auth.UserBean.updateUsuario(com.ursula.entity.jaas.Usuario)
> throws org.apache.shiro.authz.AuthorizationException
> 2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO
> com.ursula.beans.auth.shiroee6.SecurityInterceptor - Access denied - {}:
> {}org.apache.shiro.authz.AuthorizationExceptionnull
> 2014-01-03T19:36:38.149-0300|Warning:
> javax.ejb.TransactionRolledbackLocalException: Exception thrown from bean
> at
>
> com.sun.ejb.containers.EJBContainerTransactionManager.checkExceptionClientTx(EJBContainerTransactionManager.java:662)
> at
>
> com.sun.ejb.containers.EJBContainerTransactionManager.postInvokeTx(EJBContainerTransactionManager.java:507)
> at
> com.sun.ejb.containers.BaseContainer.postInvokeTx(BaseContainer.java:4475)
> at
> com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:2009)
> at
> com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:1979)
> at
>
> com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:220)
> at
>
> com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88)
> at $Proxy288.updateUsuario(Unknown Source)
> at
>
> com.ursula.beans.auth.__EJB31_Generated__UserBean__Intf____Bean__.updateUsuario(Unknown
> Source)
> at
>
> com.ursula.service.UsuarioService.updateUsuarioLogueado(UsuarioService.java:58)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
>
> org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1081)
> at
>
> org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1153)
> at
>
> com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4695)
> at
> com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:630)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
> at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
> at
>
> org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:55)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
> at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
> at
>
> com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163)
> at
>
> com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
> at
>
> com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:369)
> at
> com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:4667)
> at
> com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4655)
> at
>
> com.sun.ejb.containers.WebServiceInvocationHandler.invoke(WebServiceInvocationHandler.java:193)
> at $Proxy223.updateUsuarioLogueado(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
> org.glassfish.webservices.InvokerImpl.invoke(InvokerImpl.java:82)
> at
> org.glassfish.webservices.EjbInvokerImpl.invoke(EjbInvokerImpl.java:82)
> at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:149)
> at
>
> com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:88)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
> at
>
> com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:136)
> at
> org.glassfish.webservices.MonitoringPipe.process(MonitoringPipe.java:142)
> at
>
> com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
> at
>
> com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:136)
> at
>
> com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:210)
> at
>
> com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:142)
> at
>
> com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
> at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
> at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
> at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
> at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
> at
> com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:420)
> at
>
> com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:687)
> at
> com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:266)
> at
>
> com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:169)
> at
>
> org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:110)
> at
>
> org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:80)
> at
>
> org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:203)
> at
>
> org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:146)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
>
> org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:242)
> at
>
> org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:193)
> at
>
> com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:246)
> at
>
> org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
> at
>
> org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
> at
>
> org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
> at
>
> org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
> at
>
> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
> at
>
> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
> at
>
> org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
> at
>
> org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
> at
> org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
> at
>
> org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
> at
>
> org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
> at
>
> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
> at
>
> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
> at
>
> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
> at
>
> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
> at
>
> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
> at java.lang.Thread.run(Thread.java:722)
> Caused by: org.apache.shiro.authz.AuthorizationException
> at
>
> com.ursula.beans.auth.shiroee6.SecurityInterceptor.interceptGet(SecurityInterceptor.java:125)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
> at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
> at
>
> org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:46)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
> at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582)
> at
>
> com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163)
> at
>
> com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:601)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883)
> at
>
> com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822)
> at
>
> com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:369)
> at
> com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:4667)
> at
> com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4655)
> at
>
> com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212)
> ... 91 more
>
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/subject-isAuthenticated-false-after-a-couple-of-calls-soap-ws-tp7579490.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>