You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by stensonb <br...@gmail.com> on 2011/08/15 00:48:52 UTC

Trouble with custom filter, custom realm

Hi everybody...I've spent the past few days trying to figure this out, and am
now finally (!) willing to admit I cannot - without somebody else's help!

I'm looking to protect specific paths of my servlet with a "token"
string...this "token" is a sort of username/password combo that is passed as
a URL parameter (over https, of course).

I'm using shiro-all, v.1.1.0 (via maven).

My trouble is that, no matter what URL parameters I pass (including the
desired "?token=blahblahbla...."), my request ends up in the
MyAuthenticatingFilter.onAccessDenied() method.

I've place breakpoints on EVERY return statement on each of my classes'
methods, but the only one getting called is
MyAuthenticatingFilter.onAccessDenied().

>From what I can tell, the MyRealm.supports() method isn't getting called -
despite explicitly setting the realms property in the SecurityManager.

Can anybody offer insight on what might be happening here?  Should I be
extending/implementing some other classes instead?  (any and all suggestions
are welcome...i'm at the end of my road here...I've been starring at the
help docs for so long, they are quickly turning into visible mush).

Thanks for reading.
Bryan



My ini config looks like this:

/[main]
myRealm = com.blah.playground.MyAuthenticatingRealm
myFilter = com.blah.playground.MyAuthenticatingFilter
securityManager.realms = $myRealm
			
[urls]
/** = myFilter
/

And my classes look like this:

/public class MyAuthenticatingFilter extends AuthenticatingFilter {

	@Override
	protected AuthenticationToken createToken(ServletRequest request,
			ServletResponse arg1) throws Exception {
		
		String tokenParam = request.getParameter("token");
		if (tokenParam == null)
			throw new WebApplicationException(Status.BAD_REQUEST);
		
		return new MyAuthenticationToken(tokenParam);
	}

	@Override
	protected boolean onAccessDenied(ServletRequest arg0, ServletResponse arg1)
			throws Exception {
		// TODO Auto-generated method stub
		return false;
	}
}/

and:

/public class MyRealm extends AuthorizingRealm {

	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
arg0) {
		// TODO Auto-generated method stub
		return null;
	}
	
	public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token)
			throws AuthenticationException {
		
		//cast this to my token
		MyAuthenticationToken theToken = (MyAuthenticationToken) token;
		
		if (theToken.getUserToken().equalsIgnoreCase("234"))
		{
			//good token
			return new SimpleAuthenticationInfo("bryan", theToken.getUserToken(),
getName());
		}
		
		return null;
	}

	@Override
	public boolean supports(AuthenticationToken arg0) {
		if (arg0 != null)
			return arg0 instanceof MyAuthenticationToken;

		return false;
	}	
}/

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Trouble-with-custom-filter-custom-realm-tp6685837p6685837.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Trouble with custom filter, custom realm

Posted by stensonb <br...@gmail.com>.

Indeed...the logic in onAccessDenied() is what I was missing.  Thanks for
your quick help.  I'll follow the bug along.

Bryan

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Trouble-with-custom-filter-custom-realm-tp6685837p6690143.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Trouble with custom filter, custom realm

Posted by stensonb <br...@gmail.com>.

Ah...that makes more sense...I should have looked into these classes to
figure out how it works...

Thanks for your insights.  I'll follow-up here this evening when I've worked
this out.

Many thanks.
Bryan

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Trouble-with-custom-filter-custom-realm-tp6685837p6688437.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Trouble with custom filter, custom realm

Posted by Les Hazlewood <lh...@apache.org>.

P.S. Here is the BasicAuthenticationFilter's similar logic:

http://shiro.apache.org/static/1.1.0/xref/org/apache/shiro/web/filter/authc/BasicHttpAuthenticationFilter.html#186

Re: Trouble with custom filter, custom realm

Posted by Les Hazlewood <lh...@apache.org>.

Hi Bryan,

> Hi everybody...I've spent the past few days trying to figure this out, and am
> now finally (!) willing to admit I cannot - without somebody else's help!

It's ok - I'm sure we'll work it out. :)

> I'm looking to protect specific paths of my servlet with a "token"
> string...this "token" is a sort of username/password combo that is passed as
> a URL parameter (over https, of course).
>
> I'm using shiro-all, v.1.1.0 (via maven).

Side note: If you're using Maven, please use the respective/needed
shiro .jars and not shiro-all.  shiro-all.jar does not maintain
correct Maven metadata for dependency management and is only intended
to be used in non-Ivy Ant environments.  If you depend on
shiro-web.jar, you should get the correct dependencies for your web
app automatically.

> My trouble is that, no matter what URL parameters I pass (including the
> desired "?token=blahblahbla...."), my request ends up in the
> MyAuthenticatingFilter.onAccessDenied() method.

Ah, I'm pretty sure I know what is going on:

The AuthenticationFilter (the parent of AuthenticatingFilter) will
always call onAccessDenied and prevent the request from continuing if
the Subject is not authenticated - even if the current request
represents an authentication request.

The FormAuthenticationFilter for example uses this knowledge to
override the onAccessDenied method where it then determines if it is a
login request, go ahead and authenticate, otherwise redirect the user
to the login page.  That logic is here:

http://shiro.apache.org/static/1.1.0/xref/org/apache/shiro/web/filter/authc/FormAuthenticationFilter.html#148

So in short, your onAccessDenied method implementation is responsible
for performing this additional logic at the moment.

However, I can see how this can be confusing - while both the
FormAuthenticationFilter and BasicAuthenticationFilter implementations
perform this logic themselves, the logic should really be consolidated
in the AuthenticatingFilter so it can be leveraged by custom
subclasses like yours.  I've created a Jira issue to reflect this:

https://issues.apache.org/jira/browse/SHIRO-321

Please vote/watch it to indicate your interest.

> From what I can tell, the MyRealm.supports() method isn't getting called -
> despite explicitly setting the realms property in the SecurityManager.

It will be called once your AuthenticatingFilter subclass performs the
login logic in the onAccessDenied method.  The SecurityManager's
nested Authenticator does this in the 'doSingleRealmAuthentication'
method:

http://shiro.apache.org/static/1.1.0/xref/org/apache/shiro/authc/pam/ModularRealmAuthenticator.html#173

> Can anybody offer insight on what might be happening here?  Should I be
> extending/implementing some other classes instead?  (any and all suggestions
> are welcome...i'm at the end of my road here...I've been starring at the
> help docs for so long, they are quickly turning into visible mush).

Hopefully that will get you moving again - again, please vote/watch
the Jira issue I created.  votes/watches are the only good way for the
Shiro dev team to understand what our community wants the most.

HTH!

Best regards,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: @lhazlewood | http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

Re: Trouble with custom filter, custom realm

Posted by stensonb <br...@gmail.com>.

Oops...included the wrong class:

/public class MyAuthenticatingRealm extends AuthenticatingRealm {

	public void checkPermission(PrincipalCollection arg0, String arg1)
			throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public void checkPermission(PrincipalCollection arg0, Permission arg1)
			throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public void checkPermissions(PrincipalCollection arg0, String... arg1)
			throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public void checkPermissions(PrincipalCollection arg0,
			Collection<Permission> arg1) throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public void checkRole(PrincipalCollection arg0, String arg1)
			throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public void checkRoles(PrincipalCollection arg0, Collection<String> arg1)
			throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public void checkRoles(PrincipalCollection arg0, String... arg1)
			throws AuthorizationException {
		// TODO Auto-generated method stub
		return;
	}

	public boolean hasAllRoles(PrincipalCollection arg0, Collection<String>
arg1) {
		// TODO Auto-generated method stub
		return false;
	}

	public boolean hasRole(PrincipalCollection arg0, String arg1) {
		// TODO Auto-generated method stub
		return false;
	}

	public boolean[] hasRoles(PrincipalCollection arg0, List<String> arg1) {
		// TODO Auto-generated method stub
		return null;
	}

	public boolean isPermitted(PrincipalCollection arg0, String arg1) {
		// TODO Auto-generated method stub
		return false;
	}

	public boolean isPermitted(PrincipalCollection arg0, Permission arg1) {
		// TODO Auto-generated method stub
		return false;
	}

	public boolean[] isPermitted(PrincipalCollection arg0, String... arg1) {
		// TODO Auto-generated method stub
		return null;
	}

	public boolean[] isPermitted(PrincipalCollection arg0, List<Permission>
arg1) {
		// TODO Auto-generated method stub
		return null;
	}

	public boolean isPermittedAll(PrincipalCollection arg0, String... arg1) {
		// TODO Auto-generated method stub
		return false;
	}

	public boolean isPermittedAll(PrincipalCollection arg0,
			Collection<Permission> arg1) {
		// TODO Auto-generated method stub
		return false;
	}

	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(
			AuthenticationToken arg0) throws AuthenticationException {
		// TODO Auto-generated method stub
		return null;
	}
	
	@Override
	public boolean supports(AuthenticationToken arg0) {
		if (arg0 != null)
			return arg0 instanceof MyAuthenticationToken;

		return false;
	}	

}/

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Trouble-with-custom-filter-custom-realm-tp6685837p6685956.html
Sent from the Shiro User mailing list archive at Nabble.com.