RE: Subject reset when page refreshed with F5 the second time

Imam, Shams Fri, 03 Apr 2009 07:06:56 -0700

Hi Les,


Thanks for noticing that. As I'm said I'm new to grails too so wasn't
sure how to configure a 'Java' filter into the app (I wasn't seeing my
web.xml :-) )

Anyways a little more searching and I've figured how to do it and
followed your suggestion and configured the standard filter into the
web.xml. 

All is working in my webapp as expected (so far at least :D ). 

 

I'm not using the standard grails-jsecurity plug-in as I need instance
based authz and have different types of users which I'm validating
through my own Service classes.

On another note I'm finding JSecurity (Ki) much easier to use compared
to JAAS and am really enjoying using it.

The permissions are generated on runtime after the user has been logged
in. The WildcardPermission is working beautifully.

 

Thanks once again.

 

Shams.

 

________________________________

From: [email protected] [mailto:[email protected]] On
Behalf Of Les Hazlewood
Sent: Friday, April 03, 2009 7:56 AM
To: [email protected]
Subject: Re: Subject reset when page refreshed with F5 the second time

 

Hi Shams,

Your Groovy class "JSecurityFilters" doesn't appear to do everything
necessary.  Look at the existing 'master' Filter here:
https://svn.apache.org/repos/asf/incubator/jsecurity/trunk/web/src/main/
java/org/apache/ki/web/servlet/KiFilter.java

It needs to wrap the servlet request and, depending on the sessionMode,
the servlet response for special 'interceptor' functionality.

I'm not a Grails user, so you'll have to excuse my ignorance, but why
aren't you using the standard KiFilter (was called JSecurityFilter)?  I
was fairly certain that the Grails JSecurity plugin would enable it (but
I could be wrong).

Regards,

Les

On Thu, Apr 2, 2009 at 3:21 PM, Imam, Shams <[email protected]>
wrote:

 

 

Careless on my part to not read the entire documentation. Seems I needed
to use DefaultWebSecurityManager and configure a filter.

Removed the bootstrap code and added a filter:

 

class JSecurityFilters {

 

    SecurityManager securityManager = null;

 

    SecurityManager getSecurityManager() {

        if (securityManager == null) {

            synchronized (JSecurityFilters.class) {

                if (securityManager == null) {

                    // Initialize the jSecurity realm

                    securityManager = new DefaultWebSecurityManager();

                    securityManager.setRealm(new MyCustomRealm());

                    SecurityUtils.setSecurityManager(securityManager);

                }

            }

        }

        return securityManager

    }

 

    def filters = {

        securityFilter(controller: '*', action: '*') {

            before = {

                ThreadContext.bind(WebUtils.getInetAddress(request))

                WebUtils.bind(request)

                WebUtils.bind(response)

                ThreadContext.bind(getSecurityManager())

                ThreadContext.bind(getSecurityManager().getSubject())

 

                return true

            }

            afterView = {

 

                ThreadContext.unbindSubject()

                ThreadContext.unbindSecurityManager()

                WebUtils.unbindServletResponse()

                WebUtils.unbindServletRequest()

                ThreadContext.unbindInetAddress()

 

            }

        }

    }

}

 

Stuff seems to be working for now unless I have missed other pointers ;)

 

Shams

 

________________________________

From: Imam, Shams [mailto:[email protected]] 
Sent: Thursday, April 02, 2009 9:42 AM
To: [email protected]
Subject: Subject reset when page refreshed with F5 the second time

 

Hi everyone,

I'm new to both Grails and JSecurity. I'm trying to integrate JSecurity
into our existing webapp.

I've implemented a custom Realm and am using a 'non-remember me' token.
My Account returns  

string-based permissions.

Now to the actual problem I'm facing: Whenever I refresh a page using F5
on Firefox (haven't tested 

on other browsers yet) my Subject gets reset the second time. However,
if I continue browsing the 

pages by clicking on the various links my Subject doesn't get reset. Any
idea why this is happening 

and how I can avoid the Subject reset?

Below is a summary of my grails bootstrap code and log outputs.

 Code in Grails Bootstrap:

 =========================

    def init = {servletContext ->

        println '--- BootStrap ---'

                

        // Initialize the jSecurity realm

        DefaultSecurityManager securityManager = new
DefaultSecurityManager();

        securityManager.setRealm(new MyCustomRealm());

        SecurityUtils.setSecurityManager(securityManager);

        println '1a - ThreadContext.securityManager: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()

        println '1b - ThreadContext.securityManager.subject: ' +
org.jsecurity.util.ThreadContext.getSecurityManager()?.getSubject()

        println '2 - SecurityUtils.securityManager.subject' +
org.jsecurity.SecurityUtils.securityManager?.getSubject()

    }

 Summary of Console Outputs:

 ===========================

 --- BootStrap ---

 1a - ThreadContext.securityManager: null

 1b - ThreadContext.securityManager.subject: null

 2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
j...@165391b

 // The login page

 session.originalRequestParams.zipcode = 76092

 hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@13f8
66 with timeout 1800000 and principal null Grails session  id:
4v2u9cqs9y4i

 1a - ThreadContext.securityManager: null

 2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
j...@17ff60e

 // Login successful

 Login: Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cfd5
ee with timeout 1800000

 // Home page after login

 hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails  session id:
4v2u9cqs9y4i

 1a - ThreadContext.securityManager: null

 2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
j...@17ff60e

 lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cfd5
ee with timeout 1800000 and principal Test:REVIEWER

 // Refresh using F5 first time

 hasPermission:'admin|reviewer' -> true : JSecurity Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cfd5
ee with timeout 1800000 and principal Test:REVIEWER Grails session id:
4v2u9cqs9y4i

 1a - ThreadContext.securityManager: null

 2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
j...@17ff60e

 lacksPermission:'admin|reviewer' -> false : Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cfd5
ee with timeout 1800000 and principal Test:REVIEWER

 // Refresh using F5 second time

 hasPermission:'admin|reviewer' -> false : JSecurity Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cc43
64 with timeout 1800000 and principal null Grails session  id:
4v2u9cqs9y4i

 1a - ThreadContext.securityManager: null

 2 -
SecurityUtils.securityManager.subjectorg.jsecurity.subject.DelegatingSub
j...@5c775d

 lacksPermission:'admin|reviewer' -> true : Session:
org.jsecurity.subject.delegatingsubject$stoppingawareproxiedsess...@cc43
64 with timeout 1800000 and principal null

 

Thanks,

Shams

RE: Subject reset when page refreshed with F5 the second time

Reply via email to