Cant access subject with Eclipse RAP

[Lothar Werzinger <lo...@tradescape.biz>]

Hi,

I am trying to use Shiro with an Eclipse RAP web application in a tomcat6 
container.

I configured a ShiroFilter in the web.xml and Shiro does indeed ask for the 
login and verifies it correctly.

However in the application code I get a UnavailableSecurityManagerException:

org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager 
accessible to the calling code, either bound to the 
org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is an 
invalid application configuration.


This is probably due to the equinox servletbridge.

I then added code to initialise the SecurityManager in my app manually and 
register my realm with it. After that I can get a subject, but it is not 
authorised:

I do get a principal from the HttpServletRequest (and that shows that Shiro 
initially did authorise me):

  HttpServletRequest request = RWT.getRequest();
  request.getRemoteUser() => lothar
  request.getUserPrincipal() => lothar
  request.getUserPrincipal().getClass().getName() => 
org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal


But if I try to access the Shiro subject I get:

  Subject subject = SecurityUtils.getSubject();
  subject.isAuthenticated() => false
  subject.getPrincipal() => null


Any help is highly appreciated.

Thanks!
Lothar

RE: Cant access subject with Eclipse RAP

[Bryan Turner <in...@hotmail.com>]

Specifically, we are exporting:
                <entry key="org.apache.shiro" value="${shiro.version}"/>
                <entry key="org.apache.shiro.aop" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authc" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authc.credential" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authc.pam" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authz" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authz.annotation" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authz.aop" value="${shiro.version}"/>
                <entry key="org.apache.shiro.authz.permission" value="${shiro.version}"/>
                <entry key="org.apache.shiro.cache" value="${shiro.version}"/>
                <entry key="org.apache.shiro.codec" value="${shiro.version}"/>
                <entry key="org.apache.shiro.concurrent" value="${shiro.version}"/>
                <entry key="org.apache.shiro.config" value="${shiro.version}"/>
                <entry key="org.apache.shiro.crypto" value="${shiro.version}"/>
                <entry key="org.apache.shiro.crypto.hash" value="${shiro.version}"/>
                <entry key="org.apache.shiro.io" value="${shiro.version}"/>
                <entry key="org.apache.shiro.jndi" value="${shiro.version}"/>
                <entry key="org.apache.shiro.mgt" value="${shiro.version}"/>
                <entry key="org.apache.shiro.realm" value="${shiro.version}"/>
                <entry key="org.apache.shiro.realm.activedirectory" value="${shiro.version}"/>
                <entry key="org.apache.shiro.realm.jdbc" value="${shiro.version}"/>
                <entry key="org.apache.shiro.realm.jndi" value="${shiro.version}"/>
                <entry key="org.apache.shiro.realm.ldap" value="${shiro.version}"/>
                <entry key="org.apache.shiro.realm.text" value="${shiro.version}"/>
                <entry key="org.apache.shiro.session" value="${shiro.version}"/>
                <entry key="org.apache.shiro.session.mgt" value="${shiro.version}"/>
                <entry key="org.apache.shiro.session.mgt.eis" value="${shiro.version}"/>
                <entry key="org.apache.shiro.subject" value="${shiro.version}"/>
                <entry key="org.apache.shiro.subject.support" value="${shiro.version}"/>
                <entry key="org.apache.shiro.util" value="${shiro.version}"/>
where ${shiro.version} for us is currently 1.2.0.SNAPSHOT (but would work fine with 1.1.0 (Felix doesn't like versions like 1.2.0-SNAPSHOT; hence the .SNAPSHOT instead). You might not need to export all of these, and you may need to export more. These are all system packages, for us (seed bundles may have been the wrong term).
 


From: incommand@hotmail.com
To: user@shiro.apache.org
Subject: RE: Cant access subject with Eclipse RAP
Date: Mon, 10 Jan 2011 17:57:32 -0700




Lothar, have you tried adding Shiro into the seed bundles exported by the OSGi container? Those packages are available in all class loaders, and are the same instances. That's how we're publishing Shiro in our OSGi application (built on Felix, but we've also tested it on Equinox) and it appears to work without any issues.
 
Best regards,
Bryan Turner
 
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 14:31:03 -0800
> 
> On Monday, January 10, 2011, Jared Bunting wrote:
> > I'm only just starting to learn about OSGI and I don't know anything about
> > Eclipse RAP so I may be way off the mark here. It looks like shiro is
> > getting loaded twice - once by your webapp (or whatever does the filtering)
> > and once by your RAP application. Seems like both of them (assuming they
> > are both bundles?) should do an Import-Package on shiro (and have a shiro
> > bundle) or one should Export-Package on shiro and the other should import
> > it. From what I've read (ie. take it with a grain of salt), I would think
> > this would allow your original code to work.
> 
> Import or export declarations are not the problem here. OSGi uses special 
> class loaders and the OSGi class loader is definitely another one than the 
> class loader of the web container (tomcat) that executes the initial 
> authentication with Shiro.
> So what's needed is a way to transfer the state of the subject (and possibly 
> the security manager) to a (probably new) subject that got created with the 
> correct class loader.
> 
> 
> Lothar
 		 	   		  

RE: Cant access subject with Eclipse RAP

[Bryan Turner <in...@hotmail.com>]

Lothar,
 
Sorry for the slow reply; between being sick and my two day jobs, I'm being kept very busy.
 
All of our jar files for Shiro are in WEB-INF/lib, as is normal for WARs, and are part of the webapp's ClassLoader. Our seed bundles (which includes Spring and Gemini Blueprint) are in a maera-seed-bundles zip file in WEB-INF/maera (where Maera is progress made by Les and I on rewriting a plugin framework initially created by Atlassian). (If you're curious, Maera is open-source and is currently hosted on GitHub: https://github.com/katasource/maera)
 
At the time when we were using Equinox for this, our configuration was different; Equinox was configured using Maven's PAX runner plugin, and our entire application was deployed in an OSGi way. We found that didn't play well with many things we were doing, which is when we started working on Maera. At this point, only the Felix plugin container is implemented in Maera, so I can't currently switch us back to Equinox. Due to some tight deadlines, I'm not likely to have time to finish the Equinox plugin container for a while.
 
I'm sorry I can't provide a better answer
Bryan Turner
 
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Tue, 11 Jan 2011 09:15:25 -0800
> 
> On Monday, January 10, 2011, Bryan Turner wrote:
> > First off, just to make sure it's clear: I've never worked with Eclipse
> > RAP, or even the RCP. I'm not sure how some of these concepts are going to
> > translate to it. For our application, we control starting/stopping
> > Felix/Equinox ourselves, and we're able to make direct use of their
> > configuration properties to modify the FRAMEWORK_BOOTDELEGATION packages,
> > which we use to push access to Shiro's classes up into the parent
> > classloader for our bundles (and the ultimate parent classloader is our
> > webapp's loader).
> > 
> > I'm assuming you're getting the Shiro jar susing Maven, or that you have
> > downloaded it yourself. The first thing I'd try would be to modify the
> > MANIFEST.MF in that and add the following OSGi directive: Fragment-Host:
> > system.bundle; extension:=framework
> > (See
> > http://www.osgi.org/javadoc/r4v42/org/osgi/framework/Constants.html#EXTENS
> > ION_DIRECTIVE)
> > 
> > This should configure the Shiro jars (shiro-core, more specifically, and
> > you may have to modify shiro-web as well it sounds like) to load as OSGi
> > fragment bundles and attach to the system bundles. This is how, from what
> > I see online, core libraries like javax.servlet are configured for RAP.
> > 
> > Beyond this, I really don't know much more. Maybe somewhere in the RAP
> > documentation it details how to modify its FRAMEWORK_BOOTDELEGATION,
> > FRAMEWORK_SYSTEMPACKAGES and/or FRAMEWORK_SYSTEMPACKAGES_EXTRA properties,
> > or provides another way to augment the system bundles for the bridge.
> > 
> > Best regards,
> > Bryan Turner
> 
> Thanks a lot for the details. Can you please also explain where your jars and 
> bundles are located inside the war structure and how you start equinox 
> yourself? Even if I may not be able to use that technique myself it may help 
> me understand how it works for you.
> 
> Thanks,
> 
> Lothar
 		 	   		  

Re: Cant access subject with Eclipse RAP

[Lothar Werzinger <lo...@tradescape.biz>]

On Monday, January 10, 2011, Bryan Turner wrote:
> First off, just to make sure it's clear: I've never worked with Eclipse
> RAP, or even the RCP. I'm not sure how some of these concepts are going to
> translate to it. For our application, we control starting/stopping
> Felix/Equinox ourselves, and we're able to make direct use of their
> configuration properties to modify the FRAMEWORK_BOOTDELEGATION packages,
> which we use to push access to Shiro's classes up into the parent
> classloader for our bundles (and the ultimate parent classloader is our
> webapp's loader).
> 
> I'm assuming you're getting the Shiro jar susing Maven, or that you have
> downloaded it yourself. The first thing I'd try would be to modify the
> MANIFEST.MF in that and add the following OSGi directive: Fragment-Host:
> system.bundle; extension:=framework
> (See
> http://www.osgi.org/javadoc/r4v42/org/osgi/framework/Constants.html#EXTENS
> ION_DIRECTIVE)
> 
> This should configure the Shiro jars (shiro-core, more specifically, and
> you may have to modify shiro-web as well it sounds like) to load as OSGi
> fragment bundles and attach to the system bundles. This is how, from what
> I see online, core libraries like javax.servlet are configured for RAP.
> 
> Beyond this, I really don't know much more. Maybe somewhere in the RAP
> documentation it details how to modify its FRAMEWORK_BOOTDELEGATION,
> FRAMEWORK_SYSTEMPACKAGES and/or FRAMEWORK_SYSTEMPACKAGES_EXTRA properties,
> or provides another way to augment the system bundles for the bridge.
> 
> Best regards,
> Bryan Turner

Thanks a lot for the details. Can you please also explain where your jars and 
bundles are located inside the war structure and how you start equinox 
yourself? Even if I may not be able to use that technique myself it may help 
me understand how it works for you.

Thanks,

Lothar

RE: Cant access subject with Eclipse RAP

[Bryan Turner <in...@hotmail.com>]

First off, just to make sure it's clear: I've never worked with Eclipse RAP, or even the RCP. I'm not sure how some of these concepts are going to translate to it. For our application, we control starting/stopping Felix/Equinox ourselves, and we're able to make direct use of their configuration properties to modify the FRAMEWORK_BOOTDELEGATION packages, which we use to push access to Shiro's classes up into the parent classloader for our bundles (and the ultimate parent classloader is our webapp's loader).
 
I'm assuming you're getting the Shiro jar susing Maven, or that you have downloaded it yourself. The first thing I'd try would be to modify the MANIFEST.MF in that and add the following OSGi directive:
Fragment-Host: system.bundle; extension:=framework
(See http://www.osgi.org/javadoc/r4v42/org/osgi/framework/Constants.html#EXTENSION_DIRECTIVE)
 
This should configure the Shiro jars (shiro-core, more specifically, and you may have to modify shiro-web as well it sounds like) to load as OSGi fragment bundles and attach to the system bundles. This is how, from what I see online, core libraries like javax.servlet are configured for RAP.
 
Beyond this, I really don't know much more. Maybe somewhere in the RAP documentation it details how to modify its FRAMEWORK_BOOTDELEGATION, FRAMEWORK_SYSTEMPACKAGES and/or FRAMEWORK_SYSTEMPACKAGES_EXTRA properties, or provides another way to augment the system bundles for the bridge.
 
Best regards,
Bryan Turner
 
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 17:41:03 -0800
> CC: incommand@hotmail.com
> 
> On Monday, January 10, 2011, Bryan Turner wrote:
> > Yes, we are deploying our OSGi container inside Tomcat (or Jetty, depending
> > on the day). The important distinction may be that we are not loading
> > Shiro as an OSGi bundle. It is a classpath dependency of our webapp
> > itself. When we start Felix (or Equinox), we export Shiro from the jars in
> > the webapp's classpath as a set of system-level bundles--common to the
> > entire OSGi container and available in every classloader.
> > 
> > Best regards,
> > Bryan Turner
> 
> That sounds like it should work for me, too. Can you elaborate a bit in more 
> detail how you actually achieve this?
> 
> 
> Lothar
 		 	   		  

Re: Cant access subject with Eclipse RAP

[Lothar Werzinger <lo...@tradescape.biz>]

On Monday, January 10, 2011, Bryan Turner wrote:
> Yes, we are deploying our OSGi container inside Tomcat (or Jetty, depending
> on the day). The important distinction may be that we are not loading
> Shiro as an OSGi bundle. It is a classpath dependency of our webapp
> itself. When we start Felix (or Equinox), we export Shiro from the jars in
> the webapp's classpath as a set of system-level bundles--common to the
> entire OSGi container and available in every classloader.
> 
> Best regards,
> Bryan Turner

That sounds like it should work for me, too. Can you elaborate a bit in more 
detail how you actually achieve this?


Lothar

RE: Cant access subject with Eclipse RAP

[Bryan Turner <in...@hotmail.com>]

Yes, we are deploying our OSGi container inside Tomcat (or Jetty, depending on the day). The important distinction may be that we are not loading Shiro as an OSGi bundle. It is a classpath dependency of our webapp itself. When we start Felix (or Equinox), we export Shiro from the jars in the webapp's classpath as a set of system-level bundles--common to the entire OSGi container and available in every classloader.

Best regards,
Bryan Turner
 
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 17:16:37 -0800
> CC: incommand@hotmail.com
> 
> On Monday, January 10, 2011, Bryan Turner wrote:
> > Lothar, have you tried adding Shiro into the seed bundles exported by the
> > OSGi container? Those packages are available in all class loaders, and are
> > the same instances. That's how we're publishing Shiro in our OSGi
> > application (built on Felix, but we've also tested it on Equinox) and it
> > appears to work without any issues.
> > 
> > Best regards,
> > Bryan Turner
> 
> If I use Shiro in my pure OSGi RCP Eclipse app, I have no such problems.
> I only have the problems in the RAP application which uses the equinox server 
> bridge to run equinox inside the web container (tomcat).
> Are you running your OSGi in a web container (tomcat), too?
> 
> The servlet bridge is a bit funky, as one needs to copy the jar files one 
> wants to access from the web container into the WEB_INF/lib directory, 
> otherwise the web container won't find them, whereas the wrapped equinox 
> application has it's bundles in WEB-INF/plugins. Don't ask me why the gods of 
> equinox choose that particular layout.
> 
> Lothar
 		 	   		  

Re: Cant access subject with Eclipse RAP

[Lothar Werzinger <lo...@tradescape.biz>]

On Monday, January 10, 2011, Bryan Turner wrote:
> Lothar, have you tried adding Shiro into the seed bundles exported by the
> OSGi container? Those packages are available in all class loaders, and are
> the same instances. That's how we're publishing Shiro in our OSGi
> application (built on Felix, but we've also tested it on Equinox) and it
> appears to work without any issues.
> 
> Best regards,
> Bryan Turner

If I use Shiro in my pure OSGi RCP Eclipse app, I have no such problems.
I only have the problems in the RAP application which uses the equinox server 
bridge to run equinox inside the web container (tomcat).
Are you running your OSGi in a web container (tomcat), too?

The servlet bridge is a bit funky, as one needs to copy the jar files one 
wants to access from the web container into the WEB_INF/lib directory, 
otherwise the web container won't find them, whereas the wrapped equinox 
application has it's bundles in WEB-INF/plugins. Don't ask me why the gods of 
equinox choose that particular layout.

Lothar

RE: Cant access subject with Eclipse RAP

[Bryan Turner <in...@hotmail.com>]

Lothar, have you tried adding Shiro into the seed bundles exported by the OSGi container? Those packages are available in all class loaders, and are the same instances. That's how we're publishing Shiro in our OSGi application (built on Felix, but we've also tested it on Equinox) and it appears to work without any issues.
 
Best regards,
Bryan Turner
 
> From: lothar@tradescape.biz
> To: user@shiro.apache.org
> Subject: Re: Cant access subject with Eclipse RAP
> Date: Mon, 10 Jan 2011 14:31:03 -0800
> 
> On Monday, January 10, 2011, Jared Bunting wrote:
> > I'm only just starting to learn about OSGI and I don't know anything about
> > Eclipse RAP so I may be way off the mark here. It looks like shiro is
> > getting loaded twice - once by your webapp (or whatever does the filtering)
> > and once by your RAP application. Seems like both of them (assuming they
> > are both bundles?) should do an Import-Package on shiro (and have a shiro
> > bundle) or one should Export-Package on shiro and the other should import
> > it. From what I've read (ie. take it with a grain of salt), I would think
> > this would allow your original code to work.
> 
> Import or export declarations are not the problem here. OSGi uses special 
> class loaders and the OSGi class loader is definitely another one than the 
> class loader of the web container (tomcat) that executes the initial 
> authentication with Shiro.
> So what's needed is a way to transfer the state of the subject (and possibly 
> the security manager) to a (probably new) subject that got created with the 
> correct class loader.
> 
> 
> Lothar
 		 	   		  

Re: Cant access subject with Eclipse RAP

[Lothar Werzinger <lo...@tradescape.biz>]

On Monday, January 10, 2011, Jared Bunting wrote:
> I'm only just starting to learn about OSGI and I don't know anything about
> Eclipse RAP so I may be way off the mark here.  It looks like shiro is
> getting loaded twice - once by your webapp (or whatever does the filtering)
> and once by your RAP application.  Seems like both of them (assuming they
> are both bundles?) should do an Import-Package on shiro (and have a shiro
> bundle) or one should Export-Package on shiro and the other should import
> it.  From what I've read (ie. take it with a grain of salt), I would think
> this would allow your original code to work.

Import or export declarations are not the problem here. OSGi uses special 
class loaders and the OSGi class loader is definitely another one than the 
class loader of the web container (tomcat) that executes the initial 
authentication with Shiro.
So what's needed is a way to transfer the state of the subject (and possibly 
the security manager) to a (probably new) subject that got created with the 
correct class loader.


Lothar

Re: Cant access subject with Eclipse RAP

[Jared Bunting <ja...@digitalreasoning.com>]

I'm only just starting to learn about OSGI and I don't know anything about
Eclipse RAP so I may be way off the mark here.  It looks like shiro is
getting loaded twice - once by your webapp (or whatever does the filtering)
and once by your RAP application.  Seems like both of them (assuming they
are both bundles?) should do an Import-Package on shiro (and have a shiro
bundle) or one should Export-Package on shiro and the other should import
it.  From what I've read (ie. take it with a grain of salt), I would think
this would allow your original code to work.

-Jared 


On 1/10/11 3:22 PM, "Lothar Werzinger" <lo...@tradescape.biz> wrote:

> On Friday, January 07, 2011, Lothar Werzinger wrote:
>> Hi,
>> 
>> I am trying to use Shiro with an Eclipse RAP web application in a tomcat6
>> container.
>> 
>> I configured a ShiroFilter in the web.xml and Shiro does indeed ask for the
>> login and verifies it correctly.
>> 
>> However in the application code I get a
>> UnavailableSecurityManagerException:
>> 
>> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
>> accessible to the calling code, either bound to the
>> org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is
>> an invalid application configuration.
>> 
>> 
>> This is probably due to the equinox servletbridge.
>> 
>> I then added code to initialise the SecurityManager in my app manually and
>> register my realm with it. After that I can get a subject, but it is not
>> authorised:
>> 
>> I do get a principal from the HttpServletRequest (and that shows that Shiro
>> initially did authorise me):
>> 
>>   HttpServletRequest request = RWT.getRequest();
>>   request.getRemoteUser() => lothar
>>   request.getUserPrincipal() => lothar
>>   request.getUserPrincipal().getClass().getName() =>
>> org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal
>> 
>> 
>> But if I try to access the Shiro subject I get:
>> 
>>   Subject subject = SecurityUtils.getSubject();
>>   subject.isAuthenticated() => false
>>   subject.getPrincipal() => null
>  
> 
> I did more digging and found this is because the Eclipse RAP application being
> an OSGi application it has obviously a different class loader.
> 
> If I access the request (which is a ShiroHttpServletRequest) via reflection to
> extract the subject (as the accessor is unfortunately protected)
>     
>   Class<?> clazz = request.getClass();
>   Method getSubject = clazz.getDeclaredMethod("getSubject");
>   getSubject.setAccessible(true);
>   Object object = getSubject.invoke(request);
>   WebDelegatingSubject subject = (WebDelegatingSubject) object;
> 
> the the cast to WebDelegatingSubject fails due to the different class loader:
> 
>   java.lang.ClassCastException:
>   org.apache.shiro.web.subject.support.WebDelegatingSubject cannot be cast to
>   org.apache.shiro.web.subject.support.WebDelegatingSubject
> 
> 
> Is there a way for Shiro to communicate the state of the subject across class
> loaders? If so, how can I accomplish this?
> 
> Any help is highly appreciated.
> 
> Thanks!
> 
> Lothar

Re: Cant access subject with Eclipse RAP

[Lothar Werzinger <lo...@tradescape.biz>]

On Friday, January 07, 2011, Lothar Werzinger wrote:
> Hi,
> 
> I am trying to use Shiro with an Eclipse RAP web application in a tomcat6
> container.
> 
> I configured a ShiroFilter in the web.xml and Shiro does indeed ask for the
> login and verifies it correctly.
> 
> However in the application code I get a
> UnavailableSecurityManagerException:
> 
> org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager
> accessible to the calling code, either bound to the
> org.apache.shiro.util.ThreadContext or as a vm static singleton.  This is
> an invalid application configuration.
> 
> 
> This is probably due to the equinox servletbridge.
> 
> I then added code to initialise the SecurityManager in my app manually and
> register my realm with it. After that I can get a subject, but it is not
> authorised:
> 
> I do get a principal from the HttpServletRequest (and that shows that Shiro
> initially did authorise me):
> 
>   HttpServletRequest request = RWT.getRequest();
>   request.getRemoteUser() => lothar
>   request.getUserPrincipal() => lothar
>   request.getUserPrincipal().getClass().getName() =>
> org.apache.shiro.web.servlet.ShiroHttpServletRequest$ObjectPrincipal
> 
> 
> But if I try to access the Shiro subject I get:
> 
>   Subject subject = SecurityUtils.getSubject();
>   subject.isAuthenticated() => false
>   subject.getPrincipal() => null
 

I did more digging and found this is because the Eclipse RAP application being 
an OSGi application it has obviously a different class loader.

If I access the request (which is a ShiroHttpServletRequest) via reflection to 
extract the subject (as the accessor is unfortunately protected)
    
  Class<?> clazz = request.getClass();
  Method getSubject = clazz.getDeclaredMethod("getSubject");
  getSubject.setAccessible(true);
  Object object = getSubject.invoke(request);
  WebDelegatingSubject subject = (WebDelegatingSubject) object;

the the cast to WebDelegatingSubject fails due to the different class loader:

  java.lang.ClassCastException:
  org.apache.shiro.web.subject.support.WebDelegatingSubject cannot be cast to
  org.apache.shiro.web.subject.support.WebDelegatingSubject


Is there a way for Shiro to communicate the state of the subject across class 
loaders? If so, how can I accomplish this?

Any help is highly appreciated.

Thanks!

Lothar