You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by whitneyrzoller <wh...@gmail.com> on 2012/06/16 15:15:05 UTC
Filter for getting Subject and authorizing in REST requests w/only
a sessionId
Hello all.
>From a client (browser) I will be making HTTP requests to a web-service that
is running shiro. The client has *only* the sessionId (created by a
username/password POST to an auth-service running shiro, which authenticates
the user, creates the session, stores it in Redis and returns the sessionId
). In order to execute further authed requests against another web-service,
I will have only the sessionId generated by the auth-service. Essentially
this is the same arrangement as described in this post:
http://stackoverflow.com/questions/8501058/shiro-authentication-with-sessionid-or-usernamepassword
In this new service (call it the user service), I would like to filter
RESTful requests and perform authorization: checking to make sure the
Subject associated with the sessionId has the specified permissions and
returning an HTTP 401 or 403 if the session is invalid or the user is
lacking the proper permissions. I do not want the shiro-enabled user-service
to perform any redirects I only want it to return success or auth-failure
status codes and defer what happens in terms of redirection to the calling
client (browser/js).
Here is an example of how I've setup the relevant parts of my shiro.ini in
the user-service:
[main]
...
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
...
sessionDAO = com.rtr.auth.client.dao.RedisSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
[urls]
/users/** = rest["auth:users:create", "auth:users:update",
"auth:users:delete", "auth:users:read"]
As you can see I am using the
org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter filter because
in my REST service the HTTP-method uniquely identifies endpoints.
And here is an example of the kind of request I would like to be able to
make from the front end:
curl --cookie "JSESSIONID=057b05c0-51ab-43dc-849e-69bfc97c811b" --request
GET -w "\\nHTTP status code: %{http_code}\\n"
"http://localhost:8080/users/12"
So my first question is this: is it possible to perform this kind of
authorization filtering given *only* a sessionId? I do not see how shiro
enables this given that the information stored in the session is as follows
(in Redis):
{\"id\":057b05c0-51ab-43dc-849e-69bfc97c811b\"\",\"attributes\":null,\"host\":"127.0.0.1\",\"valid\":true,\"timeout\":1800000,\"expired\":false,\"startTimestamp\":1338783200805,\"lastAccessTime\":1338783200805,\"attributeKeys\":[],\"stopTimestamp\":null}
Notice that there is no username associated with this session, and thus it
is impossible to associate this session with any realm information. This
suspicion is born out by the fact that when I login using a POST to the auth
service (with a username and password), the Subject returned by
SecurityUtils.getSubject() is aware of the roles, and permissions granted
and defined in terms of the configured JdbcRealm. Contrast this with the
user-service context where I build the Subject via: Subject currentUser =
new Subject.Builder(securityManager).sessionId(sessionId).buildSubject(). In
this context the /currentUser/ has no Principal, and is not aware of its
roles and permissions.
Do I need to implement my own rest-like filter that would be able to do
everything the rest filter does but also determine the Subject via a
username stored as a property of the session? Obviously I would prefer no to
if there is already a built-in mechanism to perform the kind of filtering
described above.
Many apologies for being so long-winded--I figured more detail would be more
helpful--any suggestions would be very much appreciated.
Thank you,
Whitney
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Filter-for-getting-Subject-and-authorizing-in-REST-requests-w-only-a-sessionId-tp7577516.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Filter for getting Subject and authorizing in REST requests
w/only a sessionId
Posted by mircea <mi...@yahoo.ca>.
Hello Whitney,
I came across of the same kind of problem: I want to check authorization
based on a sessionID (cookie) without previously authenticating the user
(the user is authenticated via another service which has a common DB). If
the request (which is actually a service) has the cookie, I check the cookie
in a remote DB and authorize hence based on the cookie.
I want to add authorization on resources(REST api)
Did you succeed to solve the issue?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Filter-for-getting-Subject-and-authorizing-in-REST-requests-w-only-a-sessionId-tp7577516p7578014.html
Sent from the Shiro User mailing list archive at Nabble.com.