Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-24 Thread Steinar Bang 
> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:

> Ah, that’s a different world here unfortunately… you are on your own there

Yep.

There may be a feature request about a parametrized classloader (which
is a good idea in any case) going all the way into the code that tries
to load a class by name, followed with a PR, of course.

(If this is the cause for the ClassNotFoundException, that is... but if,
when I get in there, the default class loader is user, then yes it is...)

Here is the 2020 change when I stopped using a now-obsolete API to
manuallyt register an instance of the class PassThruAuthenticationFilter
as authc and instead put it into the shiro.ini file.
 
https://github.com/steinarb/authservice/commit/1abf29b06f19f9b413fa82e7b99e918a588634e8

I haven't made a note of why I didn't use the shiro.ini for this from
the start, but the vague bell in the back of my head keeps saying
ClassNotFoundException.

And at some point in time (sometime between 2016 and 2020) this changed
with shiro 1.x so using the INI file to register
PassThruAuthenticationFilter started working, and I could make the above
change.

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-23 Thread lenny 
Ah, that’s a different world here unfortunately… you are on your own there

> On May 23, 2024, at 11:59 AM, Steinar Bang  wrote:
> 
>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:
> 
>> That’s hardly enough to go on. Sounds like a configuration issue.
> 
> No, that's just me thinking out loud.
> 
>> Do you have a reproducer?
> 
> Not yet, but the first stack trace in the log is failing in INI parsing
> because of "ClassNotFoundException", and I suspect it has to do with
> using the default classloader and me running under OSGi on karaf...?
> 
> And this rings a faint bell (I think I have been here before...), so I
> will trawl old git commits to see what I did for a workaround earlier
> and when I stopped needing the workaround because of changes in shiro
> 1.x (and also if this is linked to an old issue).
> 
> This may be me just hallusinating and misremembering, but it's the track
> of investigation I will follow first.
> 
> (but if you happen to know where and if I could feed INI parsing a
> custom classloader I would be happy to learn about it...?)
>

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-23 Thread Steinar Bang 
> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:

> That’s hardly enough to go on. Sounds like a configuration issue.

No, that's just me thinking out loud.

> Do you have a reproducer?

Not yet, but the first stack trace in the log is failing in INI parsing
because of "ClassNotFoundException", and I suspect it has to do with
using the default classloader and me running under OSGi on karaf...?

And this rings a faint bell (I think I have been here before...), so I
will trawl old git commits to see what I did for a workaround earlier
and when I stopped needing the workaround because of changes in shiro
1.x (and also if this is linked to an old issue).

This may be me just hallusinating and misremembering, but it's the track
of investigation I will follow first.

(but if you happen to know where and if I could feed INI parsing a
custom classloader I would be happy to learn about it...?)

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-22 Thread lenny 
Hi,
That’s hardly enough to go on. Sounds like a configuration issue.
Do you have a reproducer?

> On May 22, 2024, at 12:33 PM, Steinar Bang  wrote:
> 
>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:
> 
>> Awesome! Thank you for your contributions and help! We appreciate it.
> 
> My pleasure!
> 
> I'm not all there yet, however...:-)
> 
> All applications built without compilation and test errors, but I'm
> currently getting
> HTTP ERROR 500 org.apache.shiro.UnavailableSecurityManagerException: No 
> SecurityManager accessible to the calling code, either bound to the 
> org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an 
> invalid application configuration.
> 
> Maybe it's time to read the upgrade/release notes...? :-)
> 
> (so far, all I've done, is to bump version numbers in the maven pom,
> and move ByteSource.Util to a new package)
> 
> (and I'm using a snapshot built from yesterday evenings main, after the
> shiro-jaxrs fix)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-22 Thread Steinar Bang 
> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:

> Awesome! Thank you for your contributions and help! We appreciate it.

My pleasure!

I'm not all there yet, however...:-)

All applications built without compilation and test errors, but I'm
currently getting
 HTTP ERROR 500 org.apache.shiro.UnavailableSecurityManagerException: No 
SecurityManager accessible to the calling code, either bound to the 
org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an 
invalid application configuration.

Maybe it's time to read the upgrade/release notes...? :-)

(so far, all I've done, is to bump version numbers in the maven pom,
and move ByteSource.Util to a new package)

(and I'm using a snapshot built from yesterday evenings main, after the
shiro-jaxrs fix)

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-21 Thread lenny 
Awesome! Thank you for your contributions and help! We appreciate it.

> On May 21, 2024, at 4:45 PM, Steinar Bang  wrote:
> 
>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org
> 
>> There are plenty of tests already. They were all expecting flipped values,
>> as the naming is very confusing. No need for any new tests.
> 
> Ok.
> 
> Anyway! My stuff builds against a snapshot from the current main of
> shiro.
> 
> Thanks!
> 
> (Tomorrow I will know if it actually works with shiro 2.x :-) )
>

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-21 Thread Steinar Bang 
> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org

> There are plenty of tests already. They were all expecting flipped values,
> as the naming is very confusing. No need for any new tests.

Ok.

Anyway! My stuff builds against a snapshot from the current main of
shiro.

Thanks!

(Tomorrow I will know if it actually works with shiro 2.x :-) )

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-21 Thread lenny 
There are plenty of tests already. They were all expecting flipped values,
as the naming is very confusing. No need for any new tests.


> On May 21, 2024, at 12:18 PM, Steinar Bang  wrote:
> 
>> Steinar Bang :
> 
>> Would you like a port of my unit tests to the shiro-jaxrs project (a 200
>> OK test (logged in user with role admin), a 401 Authenticate test (user
>> not logged in) and a 403 Forbidden test (user without role admin logged
>> in))?
> 
> But that offer is only good if I can use this test dependency:
> https://mvnrepository.com/artifact/com.mockrunner/mockrunner-servlet/2.0.7
> (becauses without it it will be too much work)
> 
> mockrunner is under a license based on Apache 1.1
> https://github.com/mockrunner/mockrunner/blob/master/LICENSE.txt
>

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-21 Thread Steinar Bang 
> Steinar Bang :

> Would you like a port of my unit tests to the shiro-jaxrs project (a 200
> OK test (logged in user with role admin), a 401 Authenticate test (user
> not logged in) and a 403 Forbidden test (user without role admin logged
> in))?

But that offer is only good if I can use this test dependency:
 https://mvnrepository.com/artifact/com.mockrunner/mockrunner-servlet/2.0.7
(becauses without it it will be too much work)

mockrunner is under a license based on Apache 1.1
 https://github.com/mockrunner/mockrunner/blob/master/LICENSE.txt

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-21 Thread Steinar Bang 
> Steinar Bang :
> lenny-5o6p1tln9c5dpfhejli6iq-xmd5yjdbdmrexy1tmh2...@public.gmane.org:

>> Sheesh, I think you are right :)

> Would you like me to create a new Gitub issue?

Nevermind! I saw you reopened the old issue.

Would you like a port of my unit tests to the shiro-jaxrs project (a 200
OK test (logged in user with role admin), a 401 Authenticate test (user
not logged in) and a 403 Forbidden test (user without role admin logged
in))?

I see the project has no tests currently...?

I've signed the apache CLA back in 2019.

I signed the CLA to get a PR accepted into shiro (base64 coding of the
salt for entries in the jdbc realm).
 https://github.com/apache/shiro/pull/138#issuecomment-497344471

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-20 Thread lenny 
Sheesh, I think you are right :)

> On May 20, 2024, at 4:01 PM, Steinar Bang  wrote:
> 
>> Steinar Bang :
> 
>> lenny-5o6p1tln9c5dpfhejli6iq-xmd5yjdbdmrexy1tmh2...@public.gmane.org:
>>> Hi,
>>> I believe this will be fixed in 2.0.1
>>> See https://github.com/apache/shiro/issues/1383 
>>>  for details.
> 
>> Ah, thanks!
> 
>> I will hold off switching from 1.13.0 until 2.0.1 is out.
> 
> Just tried a snapshot built from the current main and the fix still
> don't work for me: the test expecting 403 gets 401 and the test
> expecting 401 gets 403.
> 
> The test expecting 403 uses a logged in user without the the required role:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L127
> 
> The test expecting 401 has no user logged in:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L147
> 
> I put more info in a comment on issue 1383:
> https://github.com/apache/shiro/issues/1383#issuecomment-2121189462
>

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-05-20 Thread Steinar Bang 
> Steinar Bang :

> lenny-5o6p1tln9c5dpfhejli6iq-xmd5yjdbdmrexy1tmh2...@public.gmane.org:
>> Hi,
>> I believe this will be fixed in 2.0.1
>> See https://github.com/apache/shiro/issues/1383 
>>  for details.

> Ah, thanks!

> I will hold off switching from 1.13.0 until 2.0.1 is out.

Just tried a snapshot built from the current main and the fix still
don't work for me: the test expecting 403 gets 401 and the test
expecting 401 gets 403.

The test expecting 403 uses a logged in user without the the required role:
 
https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L127

The test expecting 401 has no user logged in:
 
https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L147

I put more info in a comment on issue 1383:
 https://github.com/apache/shiro/issues/1383#issuecomment-2121189462

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-04-28 Thread Steinar Bang 
> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org:

> Hi,
> I believe this will be fixed in 2.0.1
> See https://github.com/apache/shiro/issues/1383 
>  for details.

Ah, thanks!

I will hold off switching from 1.13.0 until 2.0.1 is out.

Thanks again!

Re: shiro-jaxrs of shiro 2.0.0: tests expecting 403 get 401 and tests expecting 401 get UnauthenticatedException

2024-04-28 Thread lenny 
Hi,

I believe this will be fixed in 2.0.1
See https://github.com/apache/shiro/issues/1383 
 for details.

> On Apr 28, 2024, at 10:03 AM, Steinar Bang  wrote:
> 
> I'm trying to switch from shiro 1.13.0 to shiro 2.0.0 and I'm running
> into test failures in my tests of jersey JAX-RS resources.
> 
> I am getting 401 Unauthorized responses where I'm expecting 403
> Forbidden (accessing rest endpoint with a logged in user without the
> required role) and I'm getting UnauthenticatedException where I'm
> expecting a 401 Unauthorized response.
> 
> Here is an example test expecting 403 but getting 401:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L127
> 
> Here is an example test expecting 401 but getting UnauthenticatedException:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/JerseyServletTest.java#L147
> 
> Here is the shiro-jaxrs annotated jersey resource:
> https://github.com/steinarb/servlet/blob/master/servlet/servlet.jersey/src/test/java/no/priv/bang/servlet/jersey/test/resources/ProtectedHelloResource.java#L13
> 
> Is there a way for me to get the old behaviour?
> 
> I.e. get the same behaviour I had with shiro-jaxrs for shiro 1.13.0?
> 
> Thanks!
> 
> 
> - Steinar
>