You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by P82 <st...@mail.ru> on 2014/05/26 21:32:21 UTC
Glassfish 4 + EJB + Shiro + OSGI standalone client
Hello experts! The subject describes well what I want. Can you say will it
work and can anyone provide tutorial/example how to implement shiro security
to connect protected remote ejb from standalone client.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
@lprimak Good boy!
@AllOthers Can anyone approve that this two step algorithm is right and help
me with step two?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579993.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
No problems. I am no Shiro expert myself, but I read the docs (and slept)
and looked at some of Shiro's source code, and after about 3 days, it all started to make sense to me.
BTW I re-read the pertinent sections of the docs about 5 times to start getting it
On May 27, 2014, at 10:53 AM, P82 wrote:
> You know. When you don't sleep several nights your proposal about playing is
> a little bit funny. If I understand shiro's principal right as we discussed
> with you I need to implement step two. That's why I asked you about help.
> Please don't tell me the importance of reading docs I know it well. It's
> just not the right situation. Ok, I promise I'll read it later :)
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579991.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
You know. When you don't sleep several nights your proposal about playing is
a little bit funny. If I understand shiro's principal right as we discussed
with you I need to implement step two. That's why I asked you about help.
Please don't tell me the importance of reading docs I know it well. It's
just not the right situation. Ok, I promise I'll read it later :)
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579991.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
When you read the documentation and play around a bit, the code will make great sense to you.
You may even just wind up using the library, not copy/pasting pieces of code.
On May 27, 2014, at 10:45 AM, P82 wrote:
> Ok. I will read it with attention can you only point me how to set sessionId
> on server side? Just a line of code. Please. I've read the code you provided
> but didn't find it.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579989.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
Ok. I will read it with attention can you only point me how to set sessionId
on server side? Just a line of code. Please. I've read the code you provided
but didn't find it.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579989.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
You need to read Shiro's documentation. The questions you are asking are very basic, and they are well documented.
On May 27, 2014, at 10:36 AM, P82 wrote:
> Something strange happens when I try to follow talked algorithm. I'am at step
> one. So I have one method in ejb and call it.
>
> Factory<SecurityManager> factory = new
> IniSecurityManagerFactory("classpath:shiro.ini");
> SecurityManager securityManager = factory.getInstance();
> SecurityUtils.setSecurityManager(securityManager);
> Subject currentUser = SecurityUtils.getSubject();
>
> if ( !currentUser.isAuthenticated() ) {
> UsernamePasswordToken token = new
> UsernamePasswordToken("lonestarr", "vespa");
> System.out.println("#0:"+currentUser.getSession().getId());
> currentUser.login(token);
> }else{
> currentUser.logout();
> System.out.println("I logged out");
> }
> System.out.println("#1:"+currentUser.getSession().getId());
>
> When I call it first time from my client I have:
> #0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> #1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
> When I call it second time from client I have:
> I logged out
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> #0:2edcab36-cb97-4722-b91b-82ec225deb78
> #1:2edcab36-cb97-4722-b91b-82ec225deb78
> Again:
> I logged out
> #1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
>
> So as I understand somewhere(the question is where - I don't send any
> session in parameter) the session is kept. What's wrong?
>
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579987.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
Something strange happens when I try to follow talked algorithm. I'am at step
one. So I have one method in ejb and call it.
Factory<SecurityManager> factory = new
IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
Subject currentUser = SecurityUtils.getSubject();
if ( !currentUser.isAuthenticated() ) {
UsernamePasswordToken token = new
UsernamePasswordToken("lonestarr", "vespa");
System.out.println("#0:"+currentUser.getSession().getId());
currentUser.login(token);
}else{
currentUser.logout();
System.out.println("I logged out");
}
System.out.println("#1:"+currentUser.getSession().getId());
When I call it first time from my client I have:
#0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
#1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
When I call it second time from client I have:
I logged out
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
#0:2edcab36-cb97-4722-b91b-82ec225deb78
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
I logged out
#1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
So as I understand somewhere(the question is where - I don't send any
session in parameter) the session is kept. What's wrong?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579987.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
You are on the right track. SecurityUtils.getSubject().getSession().getId() will return the session ID.
You can automate the sessionID transfers by using EJB interceptors.
The code I posted before can be used to keep Shiro / EJB security context between multiple remote EJBs
On May 27, 2014, at 9:58 AM, P82 wrote:
> And again thank you for your time. When you answered me I was thinking how
> shiro distinguish users on the server side (as it's the very important
> issue).
> If I understand you right I can do according to such algorithm:
> 1)from standalone client I call some EJB which have method something like
> this public String getSessionId(name,pass). If name and pass are correct it
> returns sessionId otherwise null.
> 2)after that every time I call EJB I call public ...
> ejbMethod(sessionId,ejbParam)
> If I am right then I can't find one thing how to getSessionId from
> SecurityManager at step one and setSessionId at step two. Can you help me?
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579985.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
And again thank you for your time. When you answered me I was thinking how
shiro distinguish users on the server side (as it's the very important
issue).
If I understand you right I can do according to such algorithm:
1)from standalone client I call some EJB which have method something like
this public String getSessionId(name,pass). If name and pass are correct it
returns sessionId otherwise null.
2)after that every time I call EJB I call public ...
ejbMethod(sessionId,ejbParam)
If I am right then I can't find one thing how to getSessionId from
SecurityManager at step one and setSessionId at step two. Can you help me?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579985.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Use the same model as the Web. Send username / password to the server,
get back a token (sessionID via Shiro) and send it with every request.
Then, use Shiro interceptors from what I sent you before to re-establish the Shiro session
using the sessionID
On May 27, 2014, at 1:27 AM, P82 wrote:
> This is the most imporant problem how to establish shiro security between
> client and server and this the core of my question. So the question is still
> open - can anyone provide tutorial/example how to implement shiro security
> to connect protected remote ejb from standalone client.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579982.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
This is the most imporant problem how to establish shiro security between
client and server and this the core of my question. So the question is still
open - can anyone provide tutorial/example how to implement shiro security
to connect protected remote ejb from standalone client.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579982.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
To put it another way, all code has to reside on both client and server.
and the missing piece of you is how to pass authentication context from client to server,
something of a web session cookie equivalent.
On May 27, 2014, at 1:05 AM, Lenny Primak wrote:
> There are many different design considerations that pertain to your own situation,
> This example is self-contained web application that shares Shiro security context with EJB security context.
> You will need to do more work and design to figure out how to extend this to client situation,
> as there are different levels of trust between client and server.
>
> What I provided is a starting point, and an example of how to deal with sharing security context between EJB
> and Shiro. My situation (web server / app server communication) is not the same as yours ( client/server)
> You need some other way to push the security context around, as in my situation, the context just stays in the web server.
>
> I don't think there is an out-of-the-box solution for this.
>
> On May 27, 2014, at 12:48 AM, P82 wrote:
>
>> Thank you for your time. But I can't understand from links which you provide
>> what code must I use on client side and what code must I use on server side.
>>
>>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579979.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
There are many different design considerations that pertain to your own situation,
This example is self-contained web application that shares Shiro security context with EJB security context.
You will need to do more work and design to figure out how to extend this to client situation,
as there are different levels of trust between client and server.
What I provided is a starting point, and an example of how to deal with sharing security context between EJB
and Shiro. My situation (web server / app server communication) is not the same as yours ( client/server)
You need some other way to push the security context around, as in my situation, the context just stays in the web server.
I don't think there is an out-of-the-box solution for this.
On May 27, 2014, at 12:48 AM, P82 wrote:
> Thank you for your time. But I can't understand from links which you provide
> what code must I use on client side and what code must I use on server side.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579979.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by P82 <st...@mail.ru>.
Thank you for your time. But I can't understand from links which you provide
what code must I use on client side and what code must I use on server side.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977p7579979.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Glassfish 4 + EJB + Shiro + OSGI standalone client
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
It's not trivial, but I have managed to do this, and the result is much, much better than JEE / Glassfish's own authentication API solution.
The key is to "encode" Shiro's Subject in an EJB interceptor and call Java's Subject.runAs() on the protected EJB, and do the remote encoding / decoding
in the interceptor.
My solution is integrated with Tapestry, but I think the library can be used without tapestry, as it's relatively self-contained.
http://code.google.com/p/flowlogix/
http://code.google.com/p/flowlogix/wiki/TapestryLibrary
http://code.google.com/p/flowlogix/wiki/TLShiroSecurityInterceptor
http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/security/ShiroSecurityInterceptor.java
http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/security/WebSecurityFilter.java
(maybe)
http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/internal/SecurityInterceptorFilter.java
On May 26, 2014, at 3:32 PM, P82 wrote:
> Hello experts! The subject describes well what I want. Can you say will it
> work and can anyone provide tutorial/example how to implement shiro security
> to connect protected remote ejb from standalone client.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Glassfish-4-EJB-Shiro-OSGI-standalone-client-tp7579977.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>