You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by zooxmusic <br...@109forest.com> on 2010/09/17 03:53:52 UTC
Best way to associate Session to SecureRemoteInvocationFactory
Ok, it is late and I may be able to get this tomorrow but I may not so I
figure I would ask.
I have a Swing desktop and a Spring remoting server like your examples. I
looked at the webstart client and the spring server and feel I pretty much
got the basic but....
I'm not really sure why you guys made this example starting off with a jsp
based log in and THEN switching to a desktop application. From my experience
if your writing a desktop app, your writing a desktop app and not switching
between web and desktop just to log in/out. I hope there is a nice clean way
to do this but given the fact that you did the example this way scares me a
little.
(I apologize for the jab but its late and I'm a bit cranky.)
Can someone please give me a nice clean, non hokey way to use a swing app to
login, return the sessionid, set it into the secureRemoteInvocationFactory
and then be on my way?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5541140.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by zooxmusic <br...@109forest.com>.
Nope, that's not working.
I am allowed into a call that has
@RequiresPermissions("permission2")
even when there is no sessionid and I am not authenticated. My filter chain
is
/remote/** = perms
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5543347.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by zooxmusic <br...@109forest.com>.
Ok, I just figured I would read about the "web" config even though the trail
in the reference manual leads me to spring specific and then never explains
the filter chains.
So I understand where the config is set up now and I know I do not need to
deploy the shiro jar with my client. Good! That is fantastic.
But what is the suggestion to set up an application that is entirely roles,
permissions and user based EXCEPT login and logout
if all of my services are under /remote/*
/remote/securityService=anon
/remote/** = perms, roles, user
is that the suggested way to do it?
And it seems a org.springframework.remoting.RemoteAccessException: is being
thrown not an AuthorizationException. Is there anything obvious that you may
think is wrong?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5543302.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by zooxmusic <br...@109forest.com>.
Ok, that is working and I suppose I'm ok with that approach. Now given the
lack of documentation, I am having an issue on how to secure my remote
services.
I have tried putting the @RequiresPermissions("permission2") on the
interface (although I really don't want to create another jar dependency in
my client) and on the implementation on the server yet the
doGetAuthorizationInfo is never being called.
I am under the impression since I am not using web url's and jsp pages that
the org.apache.shiro.spring.web.ShiroFilterFactoryBean isn't really relevant
to me. Is that true? If not how do I specify the method on my interface
where login is?
I have the following in my web xml and all of my remote services are exposed
through /remote
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/remote/*</url-pattern>
</filter-mapping>
my very specific questions are;
Where exactly is the configuration that enables security? Is it in fact in
the org.apache.shiro.spring.web.ShiroFilterFactoryBean?
Where do I need to annotate my methods? In the interface that gets deployed
to the client, therefore requiring another dependency or is annotating the
implementation valid?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5543116.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by zooxmusic <br...@109forest.com>.
oh, ok thanks.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5541485.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by Kalle Korhonen <ka...@gmail.com>.
On Thu, Sep 16, 2010 at 9:54 PM, zooxmusic <br...@109forest.com> wrote:
> spring-hibernate very clearly demonstrates the jsp based approach. So the
> injecting of the sessionId into the remoteInvocationFactory AFTER getting it
> back from a call in a desktop app is very sorely missing.
In your case, perhaps simplest to set the system property
"shiro.session.id"? That's what the SecureRemoteInvocationFactory will
use if it's not injected/set using other mechanisms.
Kalle
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by zooxmusic <br...@109forest.com>.
Uhm... ok, maybe I didn't articulate that properly.
I guess I was looking for something simple but exactly like the
spring-client and spring examples. Seriously man, exactly like those example
except without jsp's and with a swing login/logout. That's it. Not the
world. Just an example of how you guys suggest setting the sessionId in the
remoteInvocationFactory after those remote services have already been
injected during initialization.
I have a bad feeling that I am going to lose the ability to inject all of my
remote services during initialization and have to manually do it after I
login because the SESSIONID is final and there is no setter. But, I am
hoping you have a mechanism for this. Maybe even a class that I can extend
of which I would inject during init and then it would use a dynamic method
to retrieve the nice new session id I just got back from my swing based
login. I sure hope I am missing something very obvious so really just an
example that shows how to keep my dependency injection of all my spring
remote services and still set that sessionId dynamically is all I need. It
should only be a few lines of code and maybe point me to a few classes
And I didn't feel I was reading into it. I feel examples are meant to
provide developers a quick start to common problems. To have a jsp login to
launch a webstart app is not common, or so I believe. Actually, webstart
provides a mechanism to bypass a browser altogether once it has been run and
this was very appealing to me and I am aware to many others. Plus the
spring-hibernate very clearly demonstrates the jsp based approach. So the
injecting of the sessionId into the remoteInvocationFactory AFTER getting it
back from a call in a desktop app is very sorely missing.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Best-way-to-associate-Session-to-SecureRemoteInvocationFactory-tp5541140p5541440.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Best way to associate Session to SecureRemoteInvocationFactory
Posted by Kalle Korhonen <ka...@gmail.com>.
On Thu, Sep 16, 2010 at 6:53 PM, zooxmusic <br...@109forest.com> wrote:
> I have a Swing desktop and a Spring remoting server like your examples. I
> looked at the webstart client and the spring server and feel I pretty much
> got the basic but....
> I'm not really sure why you guys made this example starting off with a jsp
> based log in and THEN switching to a desktop application. From my experience
> if your writing a desktop app, your writing a desktop app and not switching
> between web and desktop just to log in/out. I hope there is a nice clean way
> to do this but given the fact that you did the example this way scares me a
> little.
Oh, don't read too much into it. It's a demonstration of Shiro's
capabilities, not a demonstration of architecture. In the example, the
webapp is merely a delivery mechanism for the client app (you know,
it's easier to run a webstart app than install a desktop app). For
passing the session id, I don't think the mechanism used (dynamic jnlp
template) in the example is clunky at all but rather interesting and
also secure. Of course, it's a design decision that means you want the
same session id to be used for the lifetime of that application, which
probably isn't true in your case or even in most common cases.
> Can someone please give me a nice clean, non hokey way to use a swing app to
> login, return the sessionid, set it into the secureRemoteInvocationFactory
> and then be on my way?
The session management is entirely up to you. The possibilities are
too great and there are too many communication protocols for us to
suggest a particular way of doing it. If you are using http, consider
using cookies just the same way as a standard Java web application
does things. Want REST and you are allowed to simply use basic
authentication? Just pass the credentials in the headers. Just want to
return a temporary authentication token regardless of protocol? Create
a login service that returns a token on validated Shiro credentials. I
could have many other examples, but the issue has more to do with the
design of the authentication server you are connecting to than the
client. Consider the use cases for your service - what kind of clients
does it need to serve and then choose the simplest & most secure
option that covers all of those use cases.
Kalle