Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Hi,

I am successfully using Shiro in my application (non web based) for
authentication.  I have just added an Embedded Jetty Server into the app to
serve some basic RSS data over HTTP which works fine.

I would like to enable Basic HTTP Authentication into the RSS web feed,
which is possible using Jetty, but how to I devolve the Jetty LoginService
to use the Shiro libraries and configuration?  There seems to be no obvious
method?  I am not using any Jetty config files it's all programmatic.

Regards

Matt



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

The easiest thing to do IMO is to subclass the ActiveDirectoryRealm and do
whatever enforcements are necessary there.

You have access to the source code [1] so you can re-create it entirely or
override whatever you need.

HTH,

Les

[1]
http://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/realm/activedirectory/ActiveDirectoryRealm.java

On Sun, May 13, 2012 at 12:35 PM, MattShaw <ma...@uk.thalesgroup.com>wrote:

> Hi Les/Jarad,
>
> Have you got any thoughts on my post/s?
>
> Thanks
>
> Matt
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7555406.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Hi Les/Jarad,

Have you got any thoughts on my post/s?

Thanks

Matt

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7555406.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

If this can't be fixed quickly is there a workaround?  Could the Shiro
WebFilter check if either the username or password are empty and then fail
before passing it to the AD server (as a short term fix/hack)?

Cheers

Matt


--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7542346.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Does this issue discuss the same problem, i.e. it allows empty usernames and
passwords to successfully authenticate against AD LDAP connector?

https://issues.apache.org/jira/browse/SHIRO-57

Cheers

Matt

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7540623.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

On Tue, May 8, 2012 at 12:37 PM, MattShaw <ma...@uk.thalesgroup.com>wrote:

> Thanks Les,
>
> The configurations are identical and so I would like to keep 1 .ini file.
> Would it be possible to configure the session timeout for a standard non
> web
> session manager using the .ini file and offload the web session manager to
> the servlet container timeout or configure it in the .ini file?  What would
> the syntax be?
>

The session management mechanisms are entirely different for the different
environments.  I'm not sure of a good way around this.  Maybe implement the
Shiro Factory interface to return an instance of the desired type depending
on your environment? No current implementation exists for this - you'd have
to write it yourself.

The other approach is that you load a different INI config per environment.
 Don't forget that you can create an Ini instance programmatically and use
that to initialize Shiro.  This way, you could populate the INI config at
runtime depending on environment - i.e. have helper methods for
common/shared config, and have separate populating methods for the parts
that are different.  It's just an idea, but I think this would probably be
easiest - easier than a Factory at least.


> Do you want me to raise a JIRA issue as this problem is critical as it
> currently let's through users who just don't enter a password using AD?
>

Sure, please feel free to enter one if one does not currently exist for it
(please do a cursory search first to check).  As an open source project, we
do our best to address bugs in a timely manner, but as we are volunteers,
we cannot guarantee any specific timeline.  Commercial support may be an
option if you need faster support.

Best regards,

--
Les Hazlewood
CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> |
888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog:
http://www.stormpath.com/blog<http://www.stormpath.com/blog/index>

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Thanks Les,

The configurations are identical and so I would like to keep 1 .ini file. 
Would it be possible to configure the session timeout for a standard non web
session manager using the .ini file and offload the web session manager to
the servlet container timeout or configure it in the .ini file?  What would
the syntax be?

Do you want me to raise a JIRA issue as this problem is critical as it
currently let's through users who just don't enter a password using AD?

Thanks for the tip I'll remove the iniRealm.

Cheers

Matt





--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7540445.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

>
> securityManager.sessionManager.globalSessionTimeout = 180000
>

This line of config is only valid if you're using Shiro's native session
manager.  You have to enable the native session manager first:

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager

You might also want to think about using two different .ini configs if the
config is sufficiently different across two different environments.


> 2) I have an existing issue with the activeDirectoryRealm which is still
> occuring with the Jetty implementation.  If I have the activeDirectoryRealm
> enabled in my .ini file the authentication against the user accounts
> specified in the file do not need a password, i.e. I can type in the
> username and enter no password and it authenticates fine (which is
> incorrect).  If I comment out the activeDirectoryRealm it does require the
> passwords.  I am obviously missing something??
>

It might be related to this:
http://shiro-user.582556.n2.nabble.com/Authentication-with-AD-problem-td7391585.html

But I don't believe an issue has been raised within Jira for it.

synapseRealm = org.apache.shiro.realm.text.IniRealm
> synapseRealm.resourcePath = shiro.ini
>

This line isn't necessary.  When defining a [users] or [roles] section, an
implicit IniRealm is automatically created for you.  It is available as a
bean named 'iniRealm' in the [main] section if you need to use it for
configuration.

Cheers,

Les

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Hi,

Issue 2 maybe related to
http://shiro-user.582556.n2.nabble.com/Authentication-with-AD-problem-td7391585.html

I can workaround it with a standard application by throwing an exception if
either the username or password is empty but I don't know how to intercept
the shiro web filter?

Is this a known issue with a JIRA task?

I still haven't figured out issue 1?

Regards

Matt

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7540349.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Thanks for your help.

I now have it working with both Embedded Jetty and Standalone Application.

It has however created a couple more questions which I'm sure you can
answer.

1)  I have a single shiro.ini file for both implementations and my existing
Standalone Application has the following setting in the .ini file.  However
this causes an exception for the Embedded Jetty version becuase I guess it
wants to use the standard Web Context Session Timeout.  How can I specify
this in the .ini without causing the web version to throw an exception??

securityManager.sessionManager.globalSessionTimeout = 180000

2) I have an existing issue with the activeDirectoryRealm which is still
occuring with the Jetty implementation.  If I have the activeDirectoryRealm
enabled in my .ini file the authentication against the user accounts
specified in the file do not need a password, i.e. I can type in the
username and enter no password and it authenticates fine (which is
incorrect).  If I comment out the activeDirectoryRealm it does require the
passwords.  I am obviously missing something??

The user accounts in the file aren't in the active directory domain.  I
don't know if this is an issue with our Active Directory Server or with
Shiro.  How can I tell?  Have you seen this before??

My .ini file is below:

# =======================
# Shiro INI configuration
# =======================

[main]
# Objects and their properties are defined here, 
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.url = ldap://<ip address not shown>:389
#activeDirectoryRealm.systemUsername = uid=admin,ou=system
#activeDirectoryRealm.systemPassword = secret
#activeDirectoryRealm.searchBase = o=sevenSeas,ou=people

synapseRealm = org.apache.shiro.realm.text.IniRealm
synapseRealm.resourcePath = shiro.ini

authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy

securityManager.authenticator.authenticationStrategy = $authcStrategy

#securityManager.sessionManager.globalSessionTimeout = 1800000

[users]
# The 'users' section is for simple deployments
# when you only need a small number of statically-defined 
# set of User accounts.
testUser=password
testUser1=password1
testUser2=password2
testUser3=password3
guest=guest
matt=matt

[roles]
# The 'roles' section is for simple deployments
# when you only need a small number of statically-defined
# roles.

[urls]
# The 'urls' section is used for url-based security
# in web applications.  We'll discuss this section in the
# Web documentation
/** = authcBasic

Thanks for the help

Matt


--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7537097.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Jared Bunting <ja...@peachjean.com>]

I haven't embedded jetty quite like this, but I've used it a bit.  
Unless there's something that I'm missing, it seems to me that calling:

context.addListener(EnvironmentLoaderListener.class)

should do the trick.  Won't jetty then call "contextInitialized" when, 
well, the context is initialized?

(and actually, looking at the code in ContextHandler.startContext, it 
appears that this should happen)

-Jared

On Fri 04 May 2012 02:17:15 PM CDT, Les Hazlewood wrote:
> Oops - that's not correct, sorry - it does require
> event.getServletContext() to function.  If your event instance can
> return a valid ServletContext instance, it will work.
>
> Les
>
> On Fri, May 4, 2012 at 12:15 PM, Les Hazlewood <lh...@apache.org> wrote:
>> Shiro doesn't actually inspect the event, so you can instantiate it
>> however you want - it just uses it as a trigger mechanism to execute
>> startup/shutdown work.
>>
>> Cheers,
>>
>> Les
>>
>> On Fri, May 4, 2012 at 1:14 AM, MattShaw <ma...@uk.thalesgroup.com> wrote:
>>> Thanks Jared and Lee.
>>>
>>> I took Jared's advice and got it working with Shiro 1.1 with the code and
>>> config changes. :-)
>>>
>>> I then upgraded to Shiro 1.2 and took Lee's code as a start point.
>>>
>>> However new ServletContextEvent() doesn't have a default constructor.  I've
>>> tried lots of options but they all fail with various expections.  How should
>>> I construct a ServletContextEvent to enable this to work with Shiro 1.2??
>>>
>>> context.callContextInitialized(listener, new ServletContextEvent(????));
>>>
>>> Thanks for all your help so far and I'm sure this is a quick fix.
>>>
>>> Best regards
>>>
>>> Matt
>>>
>>> --
>>> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7526297.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

Oops - that's not correct, sorry - it does require
event.getServletContext() to function.  If your event instance can
return a valid ServletContext instance, it will work.

Les

On Fri, May 4, 2012 at 12:15 PM, Les Hazlewood <lh...@apache.org> wrote:
> Shiro doesn't actually inspect the event, so you can instantiate it
> however you want - it just uses it as a trigger mechanism to execute
> startup/shutdown work.
>
> Cheers,
>
> Les
>
> On Fri, May 4, 2012 at 1:14 AM, MattShaw <ma...@uk.thalesgroup.com> wrote:
>> Thanks Jared and Lee.
>>
>> I took Jared's advice and got it working with Shiro 1.1 with the code and
>> config changes. :-)
>>
>> I then upgraded to Shiro 1.2 and took Lee's code as a start point.
>>
>> However new ServletContextEvent() doesn't have a default constructor.  I've
>> tried lots of options but they all fail with various expections.  How should
>> I construct a ServletContextEvent to enable this to work with Shiro 1.2??
>>
>> context.callContextInitialized(listener, new ServletContextEvent(????));
>>
>> Thanks for all your help so far and I'm sure this is a quick fix.
>>
>> Best regards
>>
>> Matt
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7526297.html
>> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

Shiro doesn't actually inspect the event, so you can instantiate it
however you want - it just uses it as a trigger mechanism to execute
startup/shutdown work.

Cheers,

Les

On Fri, May 4, 2012 at 1:14 AM, MattShaw <ma...@uk.thalesgroup.com> wrote:
> Thanks Jared and Lee.
>
> I took Jared's advice and got it working with Shiro 1.1 with the code and
> config changes. :-)
>
> I then upgraded to Shiro 1.2 and took Lee's code as a start point.
>
> However new ServletContextEvent() doesn't have a default constructor.  I've
> tried lots of options but they all fail with various expections.  How should
> I construct a ServletContextEvent to enable this to work with Shiro 1.2??
>
> context.callContextInitialized(listener, new ServletContextEvent(????));
>
> Thanks for all your help so far and I'm sure this is a quick fix.
>
> Best regards
>
> Matt
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7526297.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Thanks Jared and Lee.

I took Jared's advice and got it working with Shiro 1.1 with the code and
config changes. :-)

I then upgraded to Shiro 1.2 and took Lee's code as a start point.

However new ServletContextEvent() doesn't have a default constructor.  I've
tried lots of options but they all fail with various expections.  How should
I construct a ServletContextEvent to enable this to work with Shiro 1.2??

context.callContextInitialized(listener, new ServletContextEvent(????));

Thanks for all your help so far and I'm sure this is a quick fix.

Best regards

Matt

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7526297.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

Oops - my fault - I missed the 1.2 part.  Thanks for clarifying Jared.

Thanks,

--
Les Hazlewood
CTO, Stormpath | http://stormpath.com <http://www.stormpath.com/> |
888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog:
http://www.stormpath.com/blog<http://www.stormpath.com/blog/index>


On Wed, May 2, 2012 at 1:41 PM, Jared Bunting
<ja...@peachjean.com>wrote:

> I only mentioned IniShiroFilter since Matt said he was on 1.1.
> EnvironmentLoaderListener was added in 1.2, wasn't it?
>
> Matt, if possible, I would recommend using 1.2.
>
> -Jared
>
> On Wed 02 May 2012 01:43:25 PM CDT, Les Hazlewood wrote:
> > Hi Matt,
> >
> > Yes, Jared's right, you'll probably want the main ShiroFilter
> > configured within Jetty.  This is a 'master filter' of sorts that will
> > internally delegate to other filter chains define in shiro.ini (this
> > is much easier to do in shiro.ini than in Jetty-specific code IMO).
> >
> > So, your code might look like this:
> >
> > m_rssServer = new Server(m_portNumber);
> > ServletContextHandler context = new
> > ServletContextHandler(ServletContextHandler.SESSIONS);
> > context.setContextPath("/");
> >
> > //set up Shiro 1.2+ environment:
> > EnvironmentLoaderListener listener = new EnvironmentLoaderListener();
> > context.callContextInitialized(listener, new ServletContextEvent());
> >
> > //Add root ShiroFilter:
> > FilterHolder filterHolder = new FilterHolder();
> > filterHolder.setFilter(new ShiroFilter());
> > // all remaining filters and filter chains are defined in shiro.ini's
> > [urls] section.
> >
> > EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
> > context.addFilter(filterHolder, "/*", types);
> > context.addServlet(new ServletHolder(new FeedHandler()),"/*");
> > m_rssServer.setHandler(context);
> > m_rssServer.start();
> >
> > Now, I didn't test this, so you might have to tweak it a bit depending
> > on how Jetty's ServletContextHolder concept functions, but the idea is
> > what is important:
> >
> > 1) set up the EnvironmentLoaderListener to initialize Shiro (defaults
> > to shiro.ini in /WEB-INF/shiro.ini or at the root of the classpath).
> > 2) create and init a ShiroFilter, which will look up and use the Shiro
> > WebEnvironment created in 1).
> >
> > Shiro will then filter all requests.  You can set up any remaining
> > servlet filters (including the BasicHttpAuthenticationFilter) in
> > shiro.ini's [urls] section, just like Jared showed (/** = authcBasic).
> >
> > HTH,
> >
> > --
> > Les Hazlewood
> > CTO, Stormpath | http://stormpath.com | 888.391.5282
> > twitter: @lhazlewood | http://twitter.com/lhazlewood
> > blog: http://leshazlewood.com
> > stormpath blog: http://www.stormpath.com/blog
> >
> >
> > On Wed, May 2, 2012 at 8:38 AM, Jared Bunting
> > <ja...@peachjean.com> wrote:
> >> It looks to me like, in your code, you should be adding IniShiroFilter
> >> instead of BasicHttpAuthenticationFilter.  And then, in the [urls]
> >> section of shiro.ini, you'll need something like:
> >>
> >> /** = authcBasic
> >>
> >> -Jared
> >>
> >> On Wed 02 May 2012 10:04:39 AM CDT, MattShaw wrote:
> >>> Hi Lee,
> >>>
> >>> Ok thanks,
> >>>
> >>> I'm inexperienced in this area and so I'm not sure how to integrate the
> >>> Shiro implementation with our new Embedded Jetty Server.  I assumed
> there
> >>> would be a mechanism.
> >>>
> >>> I'm currently using Shiro 1.1 and Jetty 8.1
> >>>
> >>> The Jetty Code looks like this:
> >>>
> >>> m_rssServer = new Server(m_portNumber);
> >>> ServletContextHandler context = new
> >>> ServletContextHandler(ServletContextHandler.SESSIONS);
> >>> context.setContextPath("/");
> >>> FilterHolder filterHolder = new FilterHolder();
> >>> filterHolder.setFilter(new BasicHttpAuthenticationFilter());
> >>> EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
> >>> context.addFilter(filterHolder, "/*", types);
> >>> context.addServlet(new ServletHolder(new FeedHandler()),"/*");
> >>> m_rssServer.setHandler(context);
> >>> m_rssServer.start();
> >>>
> >>> Where Server is the Jetty embedded Jetty server.
> >>>
> >>> When I now run this modified code the Browser doesn't challenge me for
> a
> >>> username/password, it just shows the content as if the Filter wasn't
> there?
> >>>
> >>> I don't have a web.xml or any other config file apart from the
> shiro.ini
> >>> which has the following content:
> >>>
> >>> # =======================
> >>> # Shiro INI configuration
> >>> # =======================
> >>>
> >>> [main]
> >>> # Objects and their properties are defined here,
> >>> # Such as the securityManager, Realms and anything
> >>> # else needed to build the SecurityManager
> >>> activeDirectoryRealm =
> >>> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> >>> activeDirectoryRealm.url = ldap://<hidden from forum>
> >>>
> >>> iniRealm = org.apache.shiro.realm.text.IniRealm
> >>> iniRealm.resourcePath = vkb.ini
> >>>
> >>> authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
> >>>
> >>> securityManager.authenticator.authenticationStrategy = $authcStrategy
> >>>
> >>> securityManager.sessionManager.globalSessionTimeout = 1800000
> >>>
> >>> [users]
> >>> # The 'users' section is for simple deployments
> >>> # when you only need a small number of statically-defined
> >>> # set of User accounts.
> >>> testUser=password
> >>> testUser1=password1
> >>> testUser2=password2
> >>> testUser3=password3
> >>> guest=guest
> >>>
> >>> [roles]
> >>> # The 'roles' section is for simple deployments
> >>> # when you only need a small number of statically-defined
> >>> # roles.
> >>>
> >>> [urls]
> >>> # The 'urls' section is used for url-based security
> >>> # in web applications.  We'll discuss this section in the
> >>> # Web documentation
> >>>
> >>> Please could you offer any advise as I am obviosuly missing something?
> >>>
> >>> Best regards
> >>>
> >>> Matt
> >>>
> >>> --
> >>> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7520498.html
> >>> Sent from the Shiro User mailing list archive at Nabble.com.
> >>
> >>
>
>
>

Re: Integration of Shiro with Embedded Jetty

[Jared Bunting <ja...@peachjean.com>]

I only mentioned IniShiroFilter since Matt said he was on 1.1.  
EnvironmentLoaderListener was added in 1.2, wasn't it?

Matt, if possible, I would recommend using 1.2.

-Jared

On Wed 02 May 2012 01:43:25 PM CDT, Les Hazlewood wrote:
> Hi Matt,
>
> Yes, Jared's right, you'll probably want the main ShiroFilter
> configured within Jetty.  This is a 'master filter' of sorts that will
> internally delegate to other filter chains define in shiro.ini (this
> is much easier to do in shiro.ini than in Jetty-specific code IMO).
>
> So, your code might look like this:
>
> m_rssServer = new Server(m_portNumber);
> ServletContextHandler context = new
> ServletContextHandler(ServletContextHandler.SESSIONS);
> context.setContextPath("/");
>
> //set up Shiro 1.2+ environment:
> EnvironmentLoaderListener listener = new EnvironmentLoaderListener();
> context.callContextInitialized(listener, new ServletContextEvent());
>
> //Add root ShiroFilter:
> FilterHolder filterHolder = new FilterHolder();
> filterHolder.setFilter(new ShiroFilter());
> // all remaining filters and filter chains are defined in shiro.ini's
> [urls] section.
>
> EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
> context.addFilter(filterHolder, "/*", types);
> context.addServlet(new ServletHolder(new FeedHandler()),"/*");
> m_rssServer.setHandler(context);
> m_rssServer.start();
>
> Now, I didn't test this, so you might have to tweak it a bit depending
> on how Jetty's ServletContextHolder concept functions, but the idea is
> what is important:
>
> 1) set up the EnvironmentLoaderListener to initialize Shiro (defaults
> to shiro.ini in /WEB-INF/shiro.ini or at the root of the classpath).
> 2) create and init a ShiroFilter, which will look up and use the Shiro
> WebEnvironment created in 1).
>
> Shiro will then filter all requests.  You can set up any remaining
> servlet filters (including the BasicHttpAuthenticationFilter) in
> shiro.ini's [urls] section, just like Jared showed (/** = authcBasic).
>
> HTH,
>
> --
> Les Hazlewood
> CTO, Stormpath | http://stormpath.com | 888.391.5282
> twitter: @lhazlewood | http://twitter.com/lhazlewood
> blog: http://leshazlewood.com
> stormpath blog: http://www.stormpath.com/blog
>
>
> On Wed, May 2, 2012 at 8:38 AM, Jared Bunting
> <ja...@peachjean.com> wrote:
>> It looks to me like, in your code, you should be adding IniShiroFilter
>> instead of BasicHttpAuthenticationFilter.  And then, in the [urls]
>> section of shiro.ini, you'll need something like:
>>
>> /** = authcBasic
>>
>> -Jared
>>
>> On Wed 02 May 2012 10:04:39 AM CDT, MattShaw wrote:
>>> Hi Lee,
>>>
>>> Ok thanks,
>>>
>>> I'm inexperienced in this area and so I'm not sure how to integrate the
>>> Shiro implementation with our new Embedded Jetty Server.  I assumed there
>>> would be a mechanism.
>>>
>>> I'm currently using Shiro 1.1 and Jetty 8.1
>>>
>>> The Jetty Code looks like this:
>>>
>>> m_rssServer = new Server(m_portNumber);
>>> ServletContextHandler context = new
>>> ServletContextHandler(ServletContextHandler.SESSIONS);
>>> context.setContextPath("/");
>>> FilterHolder filterHolder = new FilterHolder();
>>> filterHolder.setFilter(new BasicHttpAuthenticationFilter());
>>> EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
>>> context.addFilter(filterHolder, "/*", types);
>>> context.addServlet(new ServletHolder(new FeedHandler()),"/*");
>>> m_rssServer.setHandler(context);
>>> m_rssServer.start();
>>>
>>> Where Server is the Jetty embedded Jetty server.
>>>
>>> When I now run this modified code the Browser doesn't challenge me for a
>>> username/password, it just shows the content as if the Filter wasn't there?
>>>
>>> I don't have a web.xml or any other config file apart from the shiro.ini
>>> which has the following content:
>>>
>>> # =======================
>>> # Shiro INI configuration
>>> # =======================
>>>
>>> [main]
>>> # Objects and their properties are defined here,
>>> # Such as the securityManager, Realms and anything
>>> # else needed to build the SecurityManager
>>> activeDirectoryRealm =
>>> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>>> activeDirectoryRealm.url = ldap://<hidden from forum>
>>>
>>> iniRealm = org.apache.shiro.realm.text.IniRealm
>>> iniRealm.resourcePath = vkb.ini
>>>
>>> authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
>>>
>>> securityManager.authenticator.authenticationStrategy = $authcStrategy
>>>
>>> securityManager.sessionManager.globalSessionTimeout = 1800000
>>>
>>> [users]
>>> # The 'users' section is for simple deployments
>>> # when you only need a small number of statically-defined
>>> # set of User accounts.
>>> testUser=password
>>> testUser1=password1
>>> testUser2=password2
>>> testUser3=password3
>>> guest=guest
>>>
>>> [roles]
>>> # The 'roles' section is for simple deployments
>>> # when you only need a small number of statically-defined
>>> # roles.
>>>
>>> [urls]
>>> # The 'urls' section is used for url-based security
>>> # in web applications.  We'll discuss this section in the
>>> # Web documentation
>>>
>>> Please could you offer any advise as I am obviosuly missing something?
>>>
>>> Best regards
>>>
>>> Matt
>>>
>>> --
>>> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7520498.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>>

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

Hi Matt,

Yes, Jared's right, you'll probably want the main ShiroFilter
configured within Jetty.  This is a 'master filter' of sorts that will
internally delegate to other filter chains define in shiro.ini (this
is much easier to do in shiro.ini than in Jetty-specific code IMO).

So, your code might look like this:

m_rssServer = new Server(m_portNumber);
ServletContextHandler context = new
ServletContextHandler(ServletContextHandler.SESSIONS);
context.setContextPath("/");

//set up Shiro 1.2+ environment:
EnvironmentLoaderListener listener = new EnvironmentLoaderListener();
context.callContextInitialized(listener, new ServletContextEvent());

//Add root ShiroFilter:
FilterHolder filterHolder = new FilterHolder();
filterHolder.setFilter(new ShiroFilter());
// all remaining filters and filter chains are defined in shiro.ini's
[urls] section.

EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
context.addFilter(filterHolder, "/*", types);
context.addServlet(new ServletHolder(new FeedHandler()),"/*");
m_rssServer.setHandler(context);
m_rssServer.start();

Now, I didn't test this, so you might have to tweak it a bit depending
on how Jetty's ServletContextHolder concept functions, but the idea is
what is important:

1) set up the EnvironmentLoaderListener to initialize Shiro (defaults
to shiro.ini in /WEB-INF/shiro.ini or at the root of the classpath).
2) create and init a ShiroFilter, which will look up and use the Shiro
WebEnvironment created in 1).

Shiro will then filter all requests.  You can set up any remaining
servlet filters (including the BasicHttpAuthenticationFilter) in
shiro.ini's [urls] section, just like Jared showed (/** = authcBasic).

HTH,

--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog


On Wed, May 2, 2012 at 8:38 AM, Jared Bunting
<ja...@peachjean.com> wrote:
> It looks to me like, in your code, you should be adding IniShiroFilter
> instead of BasicHttpAuthenticationFilter.  And then, in the [urls]
> section of shiro.ini, you'll need something like:
>
> /** = authcBasic
>
> -Jared
>
> On Wed 02 May 2012 10:04:39 AM CDT, MattShaw wrote:
>> Hi Lee,
>>
>> Ok thanks,
>>
>> I'm inexperienced in this area and so I'm not sure how to integrate the
>> Shiro implementation with our new Embedded Jetty Server.  I assumed there
>> would be a mechanism.
>>
>> I'm currently using Shiro 1.1 and Jetty 8.1
>>
>> The Jetty Code looks like this:
>>
>> m_rssServer = new Server(m_portNumber);
>> ServletContextHandler context = new
>> ServletContextHandler(ServletContextHandler.SESSIONS);
>> context.setContextPath("/");
>> FilterHolder filterHolder = new FilterHolder();
>> filterHolder.setFilter(new BasicHttpAuthenticationFilter());
>> EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
>> context.addFilter(filterHolder, "/*", types);
>> context.addServlet(new ServletHolder(new FeedHandler()),"/*");
>> m_rssServer.setHandler(context);
>> m_rssServer.start();
>>
>> Where Server is the Jetty embedded Jetty server.
>>
>> When I now run this modified code the Browser doesn't challenge me for a
>> username/password, it just shows the content as if the Filter wasn't there?
>>
>> I don't have a web.xml or any other config file apart from the shiro.ini
>> which has the following content:
>>
>> # =======================
>> # Shiro INI configuration
>> # =======================
>>
>> [main]
>> # Objects and their properties are defined here,
>> # Such as the securityManager, Realms and anything
>> # else needed to build the SecurityManager
>> activeDirectoryRealm =
>> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
>> activeDirectoryRealm.url = ldap://<hidden from forum>
>>
>> iniRealm = org.apache.shiro.realm.text.IniRealm
>> iniRealm.resourcePath = vkb.ini
>>
>> authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
>>
>> securityManager.authenticator.authenticationStrategy = $authcStrategy
>>
>> securityManager.sessionManager.globalSessionTimeout = 1800000
>>
>> [users]
>> # The 'users' section is for simple deployments
>> # when you only need a small number of statically-defined
>> # set of User accounts.
>> testUser=password
>> testUser1=password1
>> testUser2=password2
>> testUser3=password3
>> guest=guest
>>
>> [roles]
>> # The 'roles' section is for simple deployments
>> # when you only need a small number of statically-defined
>> # roles.
>>
>> [urls]
>> # The 'urls' section is used for url-based security
>> # in web applications.  We'll discuss this section in the
>> # Web documentation
>>
>> Please could you offer any advise as I am obviosuly missing something?
>>
>> Best regards
>>
>> Matt
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7520498.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>
>

Re: Integration of Shiro with Embedded Jetty

[Jared Bunting <ja...@peachjean.com>]

It looks to me like, in your code, you should be adding IniShiroFilter 
instead of BasicHttpAuthenticationFilter.  And then, in the [urls] 
section of shiro.ini, you'll need something like:

/** = authcBasic

-Jared

On Wed 02 May 2012 10:04:39 AM CDT, MattShaw wrote:
> Hi Lee,
>
> Ok thanks,
>
> I'm inexperienced in this area and so I'm not sure how to integrate the
> Shiro implementation with our new Embedded Jetty Server.  I assumed there
> would be a mechanism.
>
> I'm currently using Shiro 1.1 and Jetty 8.1
>
> The Jetty Code looks like this:
>
> m_rssServer = new Server(m_portNumber);
> ServletContextHandler context = new
> ServletContextHandler(ServletContextHandler.SESSIONS);
> context.setContextPath("/");
> FilterHolder filterHolder = new FilterHolder();
> filterHolder.setFilter(new BasicHttpAuthenticationFilter());
> EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
> context.addFilter(filterHolder, "/*", types);
> context.addServlet(new ServletHolder(new FeedHandler()),"/*");
> m_rssServer.setHandler(context);
> m_rssServer.start();
>
> Where Server is the Jetty embedded Jetty server.
>
> When I now run this modified code the Browser doesn't challenge me for a
> username/password, it just shows the content as if the Filter wasn't there?
>
> I don't have a web.xml or any other config file apart from the shiro.ini
> which has the following content:
>
> # =======================
> # Shiro INI configuration
> # =======================
>
> [main]
> # Objects and their properties are defined here,
> # Such as the securityManager, Realms and anything
> # else needed to build the SecurityManager
> activeDirectoryRealm =
> org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
> activeDirectoryRealm.url = ldap://<hidden from forum>
>
> iniRealm = org.apache.shiro.realm.text.IniRealm
> iniRealm.resourcePath = vkb.ini
>
> authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
>
> securityManager.authenticator.authenticationStrategy = $authcStrategy
>
> securityManager.sessionManager.globalSessionTimeout = 1800000
>
> [users]
> # The 'users' section is for simple deployments
> # when you only need a small number of statically-defined
> # set of User accounts.
> testUser=password
> testUser1=password1
> testUser2=password2
> testUser3=password3
> guest=guest
>
> [roles]
> # The 'roles' section is for simple deployments
> # when you only need a small number of statically-defined
> # roles.
>
> [urls]
> # The 'urls' section is used for url-based security
> # in web applications.  We'll discuss this section in the
> # Web documentation
>
> Please could you offer any advise as I am obviosuly missing something?
>
> Best regards
>
> Matt
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7520498.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[MattShaw <ma...@uk.thalesgroup.com>]

Hi Lee,

Ok thanks,

I'm inexperienced in this area and so I'm not sure how to integrate the
Shiro implementation with our new Embedded Jetty Server.  I assumed there
would be a mechanism.

I'm currently using Shiro 1.1 and Jetty 8.1

The Jetty Code looks like this:

m_rssServer = new Server(m_portNumber);            
ServletContextHandler context = new
ServletContextHandler(ServletContextHandler.SESSIONS);            
context.setContextPath("/");
FilterHolder filterHolder = new FilterHolder();
filterHolder.setFilter(new BasicHttpAuthenticationFilter());
EnumSet<DispatcherType> types = EnumSet.allOf(DispatcherType.class);
context.addFilter(filterHolder, "/*", types);
context.addServlet(new ServletHolder(new FeedHandler()),"/*");
m_rssServer.setHandler(context);
m_rssServer.start();

Where Server is the Jetty embedded Jetty server.

When I now run this modified code the Browser doesn't challenge me for a
username/password, it just shows the content as if the Filter wasn't there?

I don't have a web.xml or any other config file apart from the shiro.ini
which has the following content:

# =======================
# Shiro INI configuration
# =======================

[main]
# Objects and their properties are defined here, 
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager
activeDirectoryRealm =
org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
activeDirectoryRealm.url = ldap://<hidden from forum>

iniRealm = org.apache.shiro.realm.text.IniRealm
iniRealm.resourcePath = vkb.ini

authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy

securityManager.authenticator.authenticationStrategy = $authcStrategy

securityManager.sessionManager.globalSessionTimeout = 1800000

[users]
# The 'users' section is for simple deployments
# when you only need a small number of statically-defined 
# set of User accounts.
testUser=password
testUser1=password1
testUser2=password2
testUser3=password3
guest=guest

[roles]
# The 'roles' section is for simple deployments
# when you only need a small number of statically-defined
# roles.

[urls]
# The 'urls' section is used for url-based security
# in web applications.  We'll discuss this section in the
# Web documentation

Please could you offer any advise as I am obviosuly missing something?

Best regards

Matt

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712p7520498.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Integration of Shiro with Embedded Jetty

[Les Hazlewood <lh...@apache.org>]

Hi Matt,

Why would you do this in a container-specific manner when Shiro
supports server-side HTTP Basic Authentication out of the box via its
HttpBasicAuthenticationFilter
(http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html)
?

If you can use this, it will work in any Servlet Container and you
don't have to worry about container-specific customization.  Is this
not sufficient?

Cheers,

--
Les Hazlewood
CTO, Stormpath | http://stormpath.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
blog: http://leshazlewood.com
stormpath blog: http://www.stormpath.com/blog


On Wed, May 2, 2012 at 3:47 AM, MattShaw <ma...@uk.thalesgroup.com> wrote:
> Hi,
>
> I am successfully using Shiro in my application (non web based) for
> authentication.  I have just added an Embedded Jetty Server into the app to
> serve some basic RSS data over HTTP which works fine.
>
> I would like to enable Basic HTTP Authentication into the RSS web feed,
> which is possible using Jetty, but how to I devolve the Jetty LoginService
> to use the Shiro libraries and configuration?  There seems to be no obvious
> method?  I am not using any Jetty config files it's all programmatic.
>
> Regards
>
> Matt
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Integration-of-Shiro-with-Embedded-Jetty-tp7519712.html
> Sent from the Shiro User mailing list archive at Nabble.com.