You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Lothar Werzinger <lo...@tradescape.biz> on 2011/01/08 01:20:09 UTC
Cant access subject with Eclipse RAP
Hi,
I am trying to use Shiro with an Eclipse RAP web application in a tomcat6
container.
I configured a ShiroFilter in the web.xml and Shiro does indeed ask for the
login and verifies it correctly.
However in the application code I get a UnavailableSecurityManagerException:
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
accessible to the calling code, either bound to the
org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an
invalid application configuration.
This is probably due to the equinox servletbridge.
I then added code to initialise the SecurityManager in my app manually and
register my realm with it. After that I can get a subject, but it is not
authorised:
I do get a principal from the HttpServletRequest (and that shows that Shiro
initially did authorise me):
HttpServletRequest request = RWT.getRequest();
request.getRemoteUser() => lothar
request.getUserPrincipal() => lothar
request.getUserPrincipal().getClass().getName() =>
org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal
But if I try to access the Shiro subject I get:
Subject subject = SecurityUtils.getSubject();
subject.isAuthenticated() => false
subject.getPrincipal() => null
Any help is highly appreciated.
Thanks!
Lothar
RE: Cant access subject with Eclipse RAP
Posted by Bryan Turner <in...@hotmail.com>.
Specifically, we are exporting:
<entry key="org.apache.shiro" value="${shiro.version}"/>
<entry key="org.apache.shiro.aop" value="${shiro.version}"/>
<entry key="org.apache.shiro.authc" value="${shiro.version}"/>
<entry key="org.apache.shiro.authc.credential" value="${shiro.version}"/>
<entry key="org.apache.shiro.authc.pam" value="${shiro.version}"/>
<entry key="org.apache.shiro.authz" value="${shiro.version}"/>
<entry key="org.apache.shiro.authz.annotation" value="${shiro.version}"/>
<entry key="org.apache.shiro.authz.aop" value="${shiro.version}"/>
<entry key="org.apache.shiro.authz.permission" value="${shiro.version}"/>
<entry key="org.apache.shiro.cache" value="${shiro.version}"/>
<entry key="org.apache.shiro.codec" value="${shiro.version}"/>
<entry key="org.apache.shiro.concurrent" value="${shiro.version}"/>
<entry key="org.apache.shiro.config" value="${shiro.version}"/>
<entry key="org.apache.shiro.crypto" value="${shiro.version}"/>
<entry key="org.apache.shiro.crypto.hash" value="${shiro.version}"/>
<entry key="org.apache.shiro.io" value="${shiro.version}"/>
<entry key="org.apache.shiro.jndi" value="${shiro.version}"/>
<entry key="org.apache.shiro.mgt" value="${shiro.version}"/>
<entry key="org.apache.shiro.realm" value="${shiro.version}"/>
<entry key="org.apache.shiro.realm.activedirectory" value="${shiro.version}"/>
<entry key="org.apache.shiro.realm.jdbc" value="${shiro.version}"/>
<entry key="org.apache.shiro.realm.jndi" value="${shiro.version}"/>
<entry key="org.apache.shiro.realm.ldap" value="${shiro.version}"/>
<entry key="org.apache.shiro.realm.text" value="${shiro.version}"/>
<entry key="org.apache.shiro.session" value="${shiro.version}"/>
<entry key="org.apache.shiro.session.mgt" value="${shiro.version}"/>
<entry key="org.apache.shiro.session.mgt.eis" value="${shiro.version}"/>
<entry key="org.apache.shiro.subject" value="${shiro.version}"/>
<entry key="org.apache.shiro.subject.support" value="${shiro.version}"/>
<entry key="org.apache.shiro.util" value="${shiro.version}"/>
where ${shiro.version} for us is currently 1.2.0.SNAPSHOT (but would work fine with 1.1.0 (Felix doesn't like versions like 1.2.0-SNAPSHOT; hence the .SNAPSHOT instead). You might not need to export all of these, and you may need to export more. These are all system packages, for us (seed bundles may have been the wrong term).
From: incommand@hotmail.com
To: user@shiro.apache.org
Subject: RE: Cant access subject with Eclipse RAP
Date: Mon, 10 Jan 2011 17:57:32 -0700
Lothar, have you tried adding Shiro into the seed bundles exported by the OSGi container? Those packages are available in all class loaders, and are the same instances. That's how we're publishing Shiro in our OSGi application (built on Felix, but we've also tested it on Equinox) and it appears to work without any issues.
Best regards,
Bryan Turner
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 14:31:03 -0800
>
> On Monday, January 10, 2011, Jared Bunting wrote:
> > I'm only just starting to learn about OSGI and I don't know anything about
> > Eclipse RAP so I may be way off the mark here. It looks like shiro is
> > getting loaded twice - once by your webapp (or whatever does the filtering)
> > and once by your RAP application. Seems like both of them (assuming they
> > are both bundles?) should do an Import-Package on shiro (and have a shiro
> > bundle) or one should Export-Package on shiro and the other should import
> > it. From what I've read (ie. take it with a grain of salt), I would think
> > this would allow your original code to work.
>
> Import or export declarations are not the problem here. OSGi uses special
> class loaders and the OSGi class loader is definitely another one than the
> class loader of the web container (tomcat) that executes the initial
> authentication with Shiro.
> So what's needed is a way to transfer the state of the subject (and possibly
> the security manager) to a (probably new) subject that got created with the
> correct class loader.
>
>
> Lothar
RE: Cant access subject with Eclipse RAP
Posted by Bryan Turner <in...@hotmail.com>.
Lothar,
Sorry for the slow reply; between being sick and my two day jobs, I'm being kept very busy.
All of our jar files for Shiro are in WEB-INF/lib, as is normal for WARs, and are part of the webapp's ClassLoader. Our seed bundles (which includes Spring and Gemini Blueprint) are in a maera-seed-bundles zip file in WEB-INF/maera (where Maera is progress made by Les and I on rewriting a plugin framework initially created by Atlassian). (If you're curious, Maera is open-source and is currently hosted on GitHub: https://github.com/katasource/maera)
At the time when we were using Equinox for this, our configuration was different; Equinox was configured using Maven's PAX runner plugin, and our entire application was deployed in an OSGi way. We found that didn't play well with many things we were doing, which is when we started working on Maera. At this point, only the Felix plugin container is implemented in Maera, so I can't currently switch us back to Equinox. Due to some tight deadlines, I'm not likely to have time to finish the Equinox plugin container for a while.
I'm sorry I can't provide a better answer
Bryan Turner
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Tue, 11 Jan 2011 09:15:25 -0800
>
> On Monday, January 10, 2011, Bryan Turner wrote:
> > First off, just to make sure it's clear: I've never worked with Eclipse
> > RAP, or even the RCP. I'm not sure how some of these concepts are going to
> > translate to it. For our application, we control starting/stopping
> > Felix/Equinox ourselves, and we're able to make direct use of their
> > configuration properties to modify the FRAMEWORK_BOOTDELEGATION packages,
> > which we use to push access to Shiro's classes up into the parent
> > classloader for our bundles (and the ultimate parent classloader is our
> > webapp's loader).
> >
> > I'm assuming you're getting the Shiro jar susing Maven, or that you have
> > downloaded it yourself. The first thing I'd try would be to modify the
> > MANIFEST.MF in that and add the following OSGi directive: Fragment-Host:
> > system.bundle; extension:=framework
> > (See
> > http://www.osgi.org/javadoc/r4v42/org/osgi/framework/Constants.html#EXTENS
> > ION_DIRECTIVE)
> >
> > This should configure the Shiro jars (shiro-core, more specifically, and
> > you may have to modify shiro-web as well it sounds like) to load as OSGi
> > fragment bundles and attach to the system bundles. This is how, from what
> > I see online, core libraries like javax.servlet are configured for RAP.
> >
> > Beyond this, I really don't know much more. Maybe somewhere in the RAP
> > documentation it details how to modify its FRAMEWORK_BOOTDELEGATION,
> > FRAMEWORK_SYSTEMPACKAGES and/or FRAMEWORK_SYSTEMPACKAGES_EXTRA properties,
> > or provides another way to augment the system bundles for the bridge.
> >
> > Best regards,
> > Bryan Turner
>
> Thanks a lot for the details. Can you please also explain where your jars and
> bundles are located inside the war structure and how you start equinox
> yourself? Even if I may not be able to use that technique myself it may help
> me understand how it works for you.
>
> Thanks,
>
> Lothar
Re: Cant access subject with Eclipse RAP
Posted by Lothar Werzinger <lo...@tradescape.biz>.
On Monday, January 10, 2011, Bryan Turner wrote:
> First off, just to make sure it's clear: I've never worked with Eclipse
> RAP, or even the RCP. I'm not sure how some of these concepts are going to
> translate to it. For our application, we control starting/stopping
> Felix/Equinox ourselves, and we're able to make direct use of their
> configuration properties to modify the FRAMEWORK_BOOTDELEGATION packages,
> which we use to push access to Shiro's classes up into the parent
> classloader for our bundles (and the ultimate parent classloader is our
> webapp's loader).
>
> I'm assuming you're getting the Shiro jar susing Maven, or that you have
> downloaded it yourself. The first thing I'd try would be to modify the
> MANIFEST.MF in that and add the following OSGi directive: Fragment-Host:
> system.bundle; extension:=framework
> (See
> http://www.osgi.org/javadoc/r4v42/org/osgi/framework/Constants.html#EXTENS
> ION_DIRECTIVE)
>
> This should configure the Shiro jars (shiro-core, more specifically, and
> you may have to modify shiro-web as well it sounds like) to load as OSGi
> fragment bundles and attach to the system bundles. This is how, from what
> I see online, core libraries like javax.servlet are configured for RAP.
>
> Beyond this, I really don't know much more. Maybe somewhere in the RAP
> documentation it details how to modify its FRAMEWORK_BOOTDELEGATION,
> FRAMEWORK_SYSTEMPACKAGES and/or FRAMEWORK_SYSTEMPACKAGES_EXTRA properties,
> or provides another way to augment the system bundles for the bridge.
>
> Best regards,
> Bryan Turner
Thanks a lot for the details. Can you please also explain where your jars and
bundles are located inside the war structure and how you start equinox
yourself? Even if I may not be able to use that technique myself it may help
me understand how it works for you.
Thanks,
Lothar
RE: Cant access subject with Eclipse RAP
Posted by Bryan Turner <in...@hotmail.com>.
First off, just to make sure it's clear: I've never worked with Eclipse RAP, or even the RCP. I'm not sure how some of these concepts are going to translate to it. For our application, we control starting/stopping Felix/Equinox ourselves, and we're able to make direct use of their configuration properties to modify the FRAMEWORK_BOOTDELEGATION packages, which we use to push access to Shiro's classes up into the parent classloader for our bundles (and the ultimate parent classloader is our webapp's loader).
I'm assuming you're getting the Shiro jar susing Maven, or that you have downloaded it yourself. The first thing I'd try would be to modify the MANIFEST.MF in that and add the following OSGi directive:
Fragment-Host: system.bundle; extension:=framework
(See http://www.osgi.org/javadoc/r4v42/org/osgi/framework/Constants.html#EXTENSION_DIRECTIVE)
This should configure the Shiro jars (shiro-core, more specifically, and you may have to modify shiro-web as well it sounds like) to load as OSGi fragment bundles and attach to the system bundles. This is how, from what I see online, core libraries like javax.servlet are configured for RAP.
Beyond this, I really don't know much more. Maybe somewhere in the RAP documentation it details how to modify its FRAMEWORK_BOOTDELEGATION, FRAMEWORK_SYSTEMPACKAGES and/or FRAMEWORK_SYSTEMPACKAGES_EXTRA properties, or provides another way to augment the system bundles for the bridge.
Best regards,
Bryan Turner
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 17:41:03 -0800
> CC: incommand@hotmail.com
>
> On Monday, January 10, 2011, Bryan Turner wrote:
> > Yes, we are deploying our OSGi container inside Tomcat (or Jetty, depending
> > on the day). The important distinction may be that we are not loading
> > Shiro as an OSGi bundle. It is a classpath dependency of our webapp
> > itself. When we start Felix (or Equinox), we export Shiro from the jars in
> > the webapp's classpath as a set of system-level bundles--common to the
> > entire OSGi container and available in every classloader.
> >
> > Best regards,
> > Bryan Turner
>
> That sounds like it should work for me, too. Can you elaborate a bit in more
> detail how you actually achieve this?
>
>
> Lothar
Re: Cant access subject with Eclipse RAP
Posted by Lothar Werzinger <lo...@tradescape.biz>.
On Monday, January 10, 2011, Bryan Turner wrote:
> Yes, we are deploying our OSGi container inside Tomcat (or Jetty, depending
> on the day). The important distinction may be that we are not loading
> Shiro as an OSGi bundle. It is a classpath dependency of our webapp
> itself. When we start Felix (or Equinox), we export Shiro from the jars in
> the webapp's classpath as a set of system-level bundles--common to the
> entire OSGi container and available in every classloader.
>
> Best regards,
> Bryan Turner
That sounds like it should work for me, too. Can you elaborate a bit in more
detail how you actually achieve this?
Lothar
RE: Cant access subject with Eclipse RAP
Posted by Bryan Turner <in...@hotmail.com>.
Yes, we are deploying our OSGi container inside Tomcat (or Jetty, depending on the day). The important distinction may be that we are not loading Shiro as an OSGi bundle. It is a classpath dependency of our webapp itself. When we start Felix (or Equinox), we export Shiro from the jars in the webapp's classpath as a set of system-level bundles--common to the entire OSGi container and available in every classloader.
Best regards,
Bryan Turner
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 17:16:37 -0800
> CC: incommand@hotmail.com
>
> On Monday, January 10, 2011, Bryan Turner wrote:
> > Lothar, have you tried adding Shiro into the seed bundles exported by the
> > OSGi container? Those packages are available in all class loaders, and are
> > the same instances. That's how we're publishing Shiro in our OSGi
> > application (built on Felix, but we've also tested it on Equinox) and it
> > appears to work without any issues.
> >
> > Best regards,
> > Bryan Turner
>
> If I use Shiro in my pure OSGi RCP Eclipse app, I have no such problems.
> I only have the problems in the RAP application which uses the equinox server
> bridge to run equinox inside the web container (tomcat).
> Are you running your OSGi in a web container (tomcat), too?
>
> The servlet bridge is a bit funky, as one needs to copy the jar files one
> wants to access from the web container into the WEB_INF/lib directory,
> otherwise the web container won't find them, whereas the wrapped equinox
> application has it's bundles in WEB-INF/plugins. Don't ask me why the gods of
> equinox choose that particular layout.
>
> Lothar
Re: Cant access subject with Eclipse RAP
Posted by Lothar Werzinger <lo...@tradescape.biz>.
On Monday, January 10, 2011, Bryan Turner wrote:
> Lothar, have you tried adding Shiro into the seed bundles exported by the
> OSGi container? Those packages are available in all class loaders, and are
> the same instances. That's how we're publishing Shiro in our OSGi
> application (built on Felix, but we've also tested it on Equinox) and it
> appears to work without any issues.
>
> Best regards,
> Bryan Turner
If I use Shiro in my pure OSGi RCP Eclipse app, I have no such problems.
I only have the problems in the RAP application which uses the equinox server
bridge to run equinox inside the web container (tomcat).
Are you running your OSGi in a web container (tomcat), too?
The servlet bridge is a bit funky, as one needs to copy the jar files one
wants to access from the web container into the WEB_INF/lib directory,
otherwise the web container won't find them, whereas the wrapped equinox
application has it's bundles in WEB-INF/plugins. Don't ask me why the gods of
equinox choose that particular layout.
Lothar
RE: Cant access subject with Eclipse RAP
Posted by Bryan Turner <in...@hotmail.com>.
Lothar, have you tried adding Shiro into the seed bundles exported by the OSGi container? Those packages are available in all class loaders, and are the same instances. That's how we're publishing Shiro in our OSGi application (built on Felix, but we've also tested it on Equinox) and it appears to work without any issues.
Best regards,
Bryan Turner
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 14:31:03 -0800
>
> On Monday, January 10, 2011, Jared Bunting wrote:
> > I'm only just starting to learn about OSGI and I don't know anything about
> > Eclipse RAP so I may be way off the mark here. It looks like shiro is
> > getting loaded twice - once by your webapp (or whatever does the filtering)
> > and once by your RAP application. Seems like both of them (assuming they
> > are both bundles?) should do an Import-Package on shiro (and have a shiro
> > bundle) or one should Export-Package on shiro and the other should import
> > it. From what I've read (ie. take it with a grain of salt), I would think
> > this would allow your original code to work.
>
> Import or export declarations are not the problem here. OSGi uses special
> class loaders and the OSGi class loader is definitely another one than the
> class loader of the web container (tomcat) that executes the initial
> authentication with Shiro.
> So what's needed is a way to transfer the state of the subject (and possibly
> the security manager) to a (probably new) subject that got created with the
> correct class loader.
>
>
> Lothar
Re: Cant access subject with Eclipse RAP
Posted by Lothar Werzinger <lo...@tradescape.biz>.
On Monday, January 10, 2011, Jared Bunting wrote:
> I'm only just starting to learn about OSGI and I don't know anything about
> Eclipse RAP so I may be way off the mark here. It looks like shiro is
> getting loaded twice - once by your webapp (or whatever does the filtering)
> and once by your RAP application. Seems like both of them (assuming they
> are both bundles?) should do an Import-Package on shiro (and have a shiro
> bundle) or one should Export-Package on shiro and the other should import
> it. From what I've read (ie. take it with a grain of salt), I would think
> this would allow your original code to work.
Import or export declarations are not the problem here. OSGi uses special
class loaders and the OSGi class loader is definitely another one than the
class loader of the web container (tomcat) that executes the initial
authentication with Shiro.
So what's needed is a way to transfer the state of the subject (and possibly
the security manager) to a (probably new) subject that got created with the
correct class loader.
Lothar
Re: Cant access subject with Eclipse RAP
Posted by Jared Bunting <ja...@digitalreasoning.com>.
I'm only just starting to learn about OSGI and I don't know anything about
Eclipse RAP so I may be way off the mark here. It looks like shiro is
getting loaded twice - once by your webapp (or whatever does the filtering)
and once by your RAP application. Seems like both of them (assuming they
are both bundles?) should do an Import-Package on shiro (and have a shiro
bundle) or one should Export-Package on shiro and the other should import
it. From what I've read (ie. take it with a grain of salt), I would think
this would allow your original code to work.
-Jared
On 1/10/11 3:22 PM, "Lothar Werzinger" <lo...@tradescape.biz> wrote:
> On Friday, January 07, 2011, Lothar Werzinger wrote:
>> Hi,
>>
>> I am trying to use Shiro with an Eclipse RAP web application in a tomcat6
>> container.
>>
>> I configured a ShiroFilter in the web.xml and Shiro does indeed ask for the
>> login and verifies it correctly.
>>
>> However in the application code I get a
>> UnavailableSecurityManagerException:
>>
>> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
>> accessible to the calling code, either bound to the
>> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
>> an invalid application configuration.
>>
>>
>> This is probably due to the equinox servletbridge.
>>
>> I then added code to initialise the SecurityManager in my app manually and
>> register my realm with it. After that I can get a subject, but it is not
>> authorised:
>>
>> I do get a principal from the HttpServletRequest (and that shows that Shiro
>> initially did authorise me):
>>
>> HttpServletRequest request = RWT.getRequest();
>> request.getRemoteUser() => lothar
>> request.getUserPrincipal() => lothar
>> request.getUserPrincipal().getClass().getName() =>
>> org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal
>>
>>
>> But if I try to access the Shiro subject I get:
>>
>> Subject subject = SecurityUtils.getSubject();
>> subject.isAuthenticated() => false
>> subject.getPrincipal() => null
>
>
> I did more digging and found this is because the Eclipse RAP application being
> an OSGi application it has obviously a different class loader.
>
> If I access the request (which is a ShiroHttpServletRequest) via reflection to
> extract the subject (as the accessor is unfortunately protected)
>
> Class<?> clazz = request.getClass();
> Method getSubject = clazz.getDeclaredMethod("getSubject");
> getSubject.setAccessible(true);
> Object object = getSubject.invoke(request);
> WebDelegatingSubject subject = (WebDelegatingSubject) object;
>
> the the cast to WebDelegatingSubject fails due to the different class loader:
>
> java.lang.ClassCastException:
> org.apache.shiro.web.subject.support.WebDelegatingSubject cannot be cast to
> org.apache.shiro.web.subject.support.WebDelegatingSubject
>
>
> Is there a way for Shiro to communicate the state of the subject across class
> loaders? If so, how can I accomplish this?
>
> Any help is highly appreciated.
>
> Thanks!
>
> Lothar
Re: Cant access subject with Eclipse RAP
Posted by Lothar Werzinger <lo...@tradescape.biz>.
On Friday, January 07, 2011, Lothar Werzinger wrote:
> Hi,
>
> I am trying to use Shiro with an Eclipse RAP web application in a tomcat6
> container.
>
> I configured a ShiroFilter in the web.xml and Shiro does indeed ask for the
> login and verifies it correctly.
>
> However in the application code I get a
> UnavailableSecurityManagerException:
>
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is
> an invalid application configuration.
>
>
> This is probably due to the equinox servletbridge.
>
> I then added code to initialise the SecurityManager in my app manually and
> register my realm with it. After that I can get a subject, but it is not
> authorised:
>
> I do get a principal from the HttpServletRequest (and that shows that Shiro
> initially did authorise me):
>
> HttpServletRequest request = RWT.getRequest();
> request.getRemoteUser() => lothar
> request.getUserPrincipal() => lothar
> request.getUserPrincipal().getClass().getName() =>
> org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal
>
>
> But if I try to access the Shiro subject I get:
>
> Subject subject = SecurityUtils.getSubject();
> subject.isAuthenticated() => false
> subject.getPrincipal() => null
I did more digging and found this is because the Eclipse RAP application being
an OSGi application it has obviously a different class loader.
If I access the request (which is a ShiroHttpServletRequest) via reflection to
extract the subject (as the accessor is unfortunately protected)
Class<?> clazz = request.getClass();
Method getSubject = clazz.getDeclaredMethod("getSubject");
getSubject.setAccessible(true);
Object object = getSubject.invoke(request);
WebDelegatingSubject subject = (WebDelegatingSubject) object;
the the cast to WebDelegatingSubject fails due to the different class loader:
java.lang.ClassCastException:
org.apache.shiro.web.subject.support.WebDelegatingSubject cannot be cast to
org.apache.shiro.web.subject.support.WebDelegatingSubject
Is there a way for Shiro to communicate the state of the subject across class
loaders? If so, how can I accomplish this?
Any help is highly appreciated.
Thanks!
Lothar