Re: Securing Tynamo tapestry-resteasy with Shiro
Hi there, Richard. I created securityrequestfilter that reads header for auth token and autorize/or not. Than it pass request to other filters. Some part of code for example: public class SecurityRequestFilter implements HttpServletRequestFilter { @Inject private SecurityService securityService; @Override public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler) throws IOException { if (request.getHeader("Authorization") != null) login(request.getHeader("Authorization")); else slog.info("Anonymous request detected."); return handler.service(request, response); } As for application module(Main tapestry configuration class): @Contribute(HttpServletRequestHandler.class) public static void httpServletRequestHandler(OrderedConfiguration configuration, @InjectService("ServletRequestFilter") HttpServletRequestFilter servletRequestFilter, @InjectService("SecurityRequestFilter") HttpServletRequestFilter securityRequestFilter) { configuration.add("SecurityRequestFilter", securityRequestFilter, "after:SecurityConfiguration", "before:ResteasyRequestFilter"); configuration.add("ServletRequestFilter", servletRequestFilter, "after:ResteasyRequestFilter", "before:GZIP"); } I can't say that a right thing to do. But my way works fine to use tapestry-security with tapestry-resteasy. Good luck. On 5 May 2017 at 23:49, Richard Frovarp wrote: > I'm wondering if there is a straightforward way to secure > tapestry-resteasy with Shiro. We're already using tapestry-security. I have > a student doing some work to do this, and it doesn't seem like the two work > together. We can protect the URL path from the AppModule using the Shiro > code like we do everywhere else. However, we can't get annotations to work > on the REST "pages" or methods. I would like to be able to do things like > access level access control and permission based control based on the > authenticated user through the same Shiro tools that we have been using. > > It feels like we're missing something. I can probably build my own > integration, but if it is already solved and we are just missing it, I > would rather do it the correct way. > > Thanks, > > Richard > > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- With best regards, Pavel Chernyak
Securing Tynamo tapestry-resteasy with Shiro
I'm wondering if there is a straightforward way to secure tapestry-resteasy with Shiro. We're already using tapestry-security. I have a student doing some work to do this, and it doesn't seem like the two work together. We can protect the URL path from the AppModule using the Shiro code like we do everywhere else. However, we can't get annotations to work on the REST "pages" or methods. I would like to be able to do things like access level access control and permission based control based on the authenticated user through the same Shiro tools that we have been using. It feels like we're missing something. I can probably build my own integration, but if it is already solved and we are just missing it, I would rather do it the correct way. Thanks, Richard - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tapestry-security/shiro check for 'any' permission
It's been a while but I think you are correct about how Shiro works. I would use a role to solve this. You can make a role like "maintainer" and assign that role to anyone that can maintain objects. Then you can protect any pages after the url /maintain On Wednesday, April 19, 2017, Robin Garner wrote: > I've just about finished adding my first feature that uses object > permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8). > Users are given permissions to the objects they are allowed to maintain, > when they go to the new page, only the objects they have permission to > maintain appear on the list of objects, and when they try to POST a change, > shiro ensure they have rights to the object. All works, no problems. > > This new feature is functionality that not all users have access to, so on > the front page I want to add a link that only appears for users who have > access. This is where I run into a problem - it doesn't seem possible to > ask whether a user has a certain access to object, instead of access > to all objects or to one particular object. > > > Using Shiro's favorite example, the problem is this: > > Users have permissions of the form 'printer:print:laserjet3440', > 'printer:view:canonb2'. If I say > > ... > > the option only appears for users who have the wildcard permission, not > the real users who may have rights to one or several printers. What I > think we need is an existential wildcard ('printer:view:?' maybe) that > matches any object. > > > From what I can tell, the Shiro simply doesn't have this functionality in > its permissions. > > The workaround I've used for now is to grant every user who has one of > these object-based permissions an 'any' permission, > e.g. 'printer:view:-any-', and to base the page permissions on this. > > > Have I missed anything obvious ? What do other people do ? > > Regards, > Robin > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
Tapestry-security/shiro check for 'any' permission
I've just about finished adding my first feature that uses object permissions to a tapestry app (tapestry-security 0.5.1, tapestry 5.3.8). Users are given permissions to the objects they are allowed to maintain, when they go to the new page, only the objects they have permission to maintain appear on the list of objects, and when they try to POST a change, shiro ensure they have rights to the object. All works, no problems. This new feature is functionality that not all users have access to, so on the front page I want to add a link that only appears for users who have access. This is where I run into a problem - it doesn't seem possible to ask whether a user has a certain access to object, instead of access to all objects or to one particular object. Using Shiro's favorite example, the problem is this: Users have permissions of the form 'printer:print:laserjet3440', 'printer:view:canonb2'. If I say ... the option only appears for users who have the wildcard permission, not the real users who may have rights to one or several printers. What I think we need is an existential wildcard ('printer:view:?' maybe) that matches any object. From what I can tell, the Shiro simply doesn't have this functionality in its permissions. The workaround I've used for now is to grant every user who has one of these object-based permissions an 'any' permission, e.g. 'printer:view:-any-', and to base the page permissions on this. Have I missed anything obvious ? What do other people do ? Regards, Robin - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: shiro UsernamePasswordToken "RememberMe" problems
No problem Kalle, make sure to give credit to Janne though, most of the work is his. I wouldn't make this the default Serializer just yet, because it will invalidate existing cookies for clients that will upgrade to the new version. I would offer it as an optional Serializer implementation (possibly configurable with a symbol), people would be able to enable it if they like. Ultimately, the call is yours, I just wanted to point out this possible problem. On Mon, Mar 10, 2014 at 9:41 PM, Kalle Korhonen wrote: > Perhaps there's no reason to wait for a fix in Shiro. I could just > implement this as a new default CookieRememberMeManager in > tapestry-security. Dusko, you mind if I use your SimplePrincipalSerializer? > > Kalle > > > On Thu, Mar 6, 2014 at 3:21 AM, Dusko Jovanovski > wrote: > > > Thanks for pointing that out, I wasn't finishing the GZIP stream > properly, > > already fixed in the updated gist. > > https://gist.github.com/duskote/0f8cce8d1b0d1cc56844 > > > > You could give it another try and see if it works for you. > > > > > > On Thu, Mar 6, 2014 at 11:36 AM, Lidija Dolinar > >wrote: > > > > > Dusko, thank you for your reply. > > > > > > If I use your SimplePrincipalSerializer, the rememberMe cookie is > indeed > > > created and is very small: > > > > > > > > > [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added > > > HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; > > > Expires=Wed, 05-Mar-2014 10:31:39 GMT] > > > [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added > > > HttpServletResponse Cookie > > > [rememberMe=Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=; Path=/; > > > Max-Age=1209600; Expires=Thu, 20-Mar-2014 10:31:39 GMT; HttpOnly] > > > > > > > > > > > > But I get the following exception at deserialization time (sorry for > the > > > ugly wrapping): > > > > > > > > > > > > [11:32:36] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Found > > > 'rememberMe' cookie value > [Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=] > > > [11:32:36] DEBUG [org.apache.shiro.mgt.AbstractRememberMeManager]: > There > > > was a failure while trying to retrieve remembered principals. This > could > > > be due to a configuration problem or corrupted principals. This could > > also > > > be due to a recently changed encryption key. The remembered identity > > will > > > be forgotten and not used for this request. > > > org.apache.shiro.io.SerializationException: Unexpected end of ZLIB > input > > > stream > > > at > > > > > > > > > si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:85) > > > ~[classes/:na] > > > at > > > > > > > > > si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:17) > > > ~[classes/:na] > > > at > > > > > > > > > org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:514) > > > ~[shiro-core-1.2.0.jar:1.2.0] > > > at > > > > > > > > > org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:431) > > > ~[shiro-core-1.2.0.jar:1.2.0] > > > at > > > > > > > > > org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:396) > > > ~[shiro-core-1.2.0.jar:1.2.0] > > > at > > > > > > > > > org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604) > > > [shiro-core-1.2.0.jar:1.2.0] > > > at > > > > > > > > > org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492) > > > [shiro-core-1.2.0.jar:1.2.0] > > > at > > > > > > > > > org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342) > > > [shiro-core-1.2.0.jar:1.2.0] > > > at $WebSecurityManager_439fe43247936.createSubject(Unknown Source) > > [na:na] > > > at > > org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846) > > > [shiro-core-1.2.0.jar:1.2.0] > > > at > > > > > > > > > org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148) > > > [shiro-web-1.2.0.jar:1.2.0] > > > at &
Re: shiro UsernamePasswordToken "RememberMe" problems
Perhaps there's no reason to wait for a fix in Shiro. I could just implement this as a new default CookieRememberMeManager in tapestry-security. Dusko, you mind if I use your SimplePrincipalSerializer? Kalle On Thu, Mar 6, 2014 at 3:21 AM, Dusko Jovanovski wrote: > Thanks for pointing that out, I wasn't finishing the GZIP stream properly, > already fixed in the updated gist. > https://gist.github.com/duskote/0f8cce8d1b0d1cc56844 > > You could give it another try and see if it works for you. > > > On Thu, Mar 6, 2014 at 11:36 AM, Lidija Dolinar >wrote: > > > Dusko, thank you for your reply. > > > > If I use your SimplePrincipalSerializer, the rememberMe cookie is indeed > > created and is very small: > > > > > > [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added > > HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; > > Expires=Wed, 05-Mar-2014 10:31:39 GMT] > > [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added > > HttpServletResponse Cookie > > [rememberMe=Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=; Path=/; > > Max-Age=1209600; Expires=Thu, 20-Mar-2014 10:31:39 GMT; HttpOnly] > > > > > > > > But I get the following exception at deserialization time (sorry for the > > ugly wrapping): > > > > > > > > [11:32:36] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Found > > 'rememberMe' cookie value [Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=] > > [11:32:36] DEBUG [org.apache.shiro.mgt.AbstractRememberMeManager]: There > > was a failure while trying to retrieve remembered principals. This could > > be due to a configuration problem or corrupted principals. This could > also > > be due to a recently changed encryption key. The remembered identity > will > > be forgotten and not used for this request. > > org.apache.shiro.io.SerializationException: Unexpected end of ZLIB input > > stream > > at > > > > > si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:85) > > ~[classes/:na] > > at > > > > > si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:17) > > ~[classes/:na] > > at > > > > > org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:514) > > ~[shiro-core-1.2.0.jar:1.2.0] > > at > > > > > org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:431) > > ~[shiro-core-1.2.0.jar:1.2.0] > > at > > > > > org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:396) > > ~[shiro-core-1.2.0.jar:1.2.0] > > at > > > > > org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604) > > [shiro-core-1.2.0.jar:1.2.0] > > at > > > > > org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492) > > [shiro-core-1.2.0.jar:1.2.0] > > at > > > > > org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342) > > [shiro-core-1.2.0.jar:1.2.0] > > at $WebSecurityManager_439fe43247936.createSubject(Unknown Source) > [na:na] > > at > org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846) > > [shiro-core-1.2.0.jar:1.2.0] > > at > > > > > org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148) > > [shiro-web-1.2.0.jar:1.2.0] > > at > > > > > org.tynamo.security.services.impl.SecurityConfiguration.service(SecurityConfiguration.java:51) > > [tapestry-security-0.5.1.jar:0.5.1] > > at $HttpServletRequestFilter_439fe43247931.service(Unknown Source) > [na:na] > > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) > [na:na] > > at > > > > > org.got5.tapestry5.jquery.services.AjaxUploadServletRequestFilter.service(AjaxUploadServletRequestFilter.java:26) > > [tapestry5-jquery-3.3.3.jar:na] > > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) > [na:na] > > at > > > > > org.apache.tapestry5.upload.internal.services.MultipartServletRequestFilter.service(MultipartServletRequestFilter.java:44) > > [tapestry-upload-5.3.7.jar:na] > > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) > [na:na] > > at > > > > > org.tynamo.resteasy.ResteasyRequestFilter.service(ResteasyRequestFilter.java:100) > > [tapestry-resteasy-0.3.1.jar:0.3.1] > > at $HttpServl
Re: shiro UsernamePasswordToken "RememberMe" problems
Cookie size is 2K. Works like a charm, thank you :). Regards, Lidija On Thu, Mar 6, 2014 at 12:21 PM, Dusko Jovanovski wrote: > Thanks for pointing that out, I wasn't finishing the GZIP stream properly, > already fixed in the updated gist. > https://gist.github.com/duskote/0f8cce8d1b0d1cc56844 > > You could give it another try and see if it works for you. > >
Re: shiro UsernamePasswordToken "RememberMe" problems
Thanks for pointing that out, I wasn't finishing the GZIP stream properly, already fixed in the updated gist. https://gist.github.com/duskote/0f8cce8d1b0d1cc56844 You could give it another try and see if it works for you. On Thu, Mar 6, 2014 at 11:36 AM, Lidija Dolinar wrote: > Dusko, thank you for your reply. > > If I use your SimplePrincipalSerializer, the rememberMe cookie is indeed > created and is very small: > > > [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added > HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; > Expires=Wed, 05-Mar-2014 10:31:39 GMT] > [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added > HttpServletResponse Cookie > [rememberMe=Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=; Path=/; > Max-Age=1209600; Expires=Thu, 20-Mar-2014 10:31:39 GMT; HttpOnly] > > > > But I get the following exception at deserialization time (sorry for the > ugly wrapping): > > > > [11:32:36] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Found > 'rememberMe' cookie value [Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=] > [11:32:36] DEBUG [org.apache.shiro.mgt.AbstractRememberMeManager]: There > was a failure while trying to retrieve remembered principals. This could > be due to a configuration problem or corrupted principals. This could also > be due to a recently changed encryption key. The remembered identity will > be forgotten and not used for this request. > org.apache.shiro.io.SerializationException: Unexpected end of ZLIB input > stream > at > > si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:85) > ~[classes/:na] > at > > si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:17) > ~[classes/:na] > at > > org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:514) > ~[shiro-core-1.2.0.jar:1.2.0] > at > > org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:431) > ~[shiro-core-1.2.0.jar:1.2.0] > at > > org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:396) > ~[shiro-core-1.2.0.jar:1.2.0] > at > > org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604) > [shiro-core-1.2.0.jar:1.2.0] > at > > org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492) > [shiro-core-1.2.0.jar:1.2.0] > at > > org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342) > [shiro-core-1.2.0.jar:1.2.0] > at $WebSecurityManager_439fe43247936.createSubject(Unknown Source) [na:na] > at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846) > [shiro-core-1.2.0.jar:1.2.0] > at > > org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148) > [shiro-web-1.2.0.jar:1.2.0] > at > > org.tynamo.security.services.impl.SecurityConfiguration.service(SecurityConfiguration.java:51) > [tapestry-security-0.5.1.jar:0.5.1] > at $HttpServletRequestFilter_439fe43247931.service(Unknown Source) [na:na] > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] > at > > org.got5.tapestry5.jquery.services.AjaxUploadServletRequestFilter.service(AjaxUploadServletRequestFilter.java:26) > [tapestry5-jquery-3.3.3.jar:na] > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] > at > > org.apache.tapestry5.upload.internal.services.MultipartServletRequestFilter.service(MultipartServletRequestFilter.java:44) > [tapestry-upload-5.3.7.jar:na] > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] > at > > org.tynamo.resteasy.ResteasyRequestFilter.service(ResteasyRequestFilter.java:100) > [tapestry-resteasy-0.3.1.jar:0.3.1] > at $HttpServletRequestFilter_439fe4324792e.service(Unknown Source) [na:na] > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] > at > > org.apache.tapestry5.internal.services.IgnoredPathsFilter.service(IgnoredPathsFilter.java:62) > [tapestry-core-5.3.7.jar:na] > at $HttpServletRequestFilter_439fe4324792c.service(Unknown Source) [na:na] > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] > at > > org.apache.tapestry5.services.TapestryModule$1.service(TapestryModule.java:852) > [tapestry-core-5.3.7.jar:na] > at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] > at $HttpServletRequestHandler_439fe4324792b.service(Unknown Source) [na:na] > at org.apache.tapestry5.TapestryFilter.doFilter(TapestryFilter.java:171) > [tapestry-core-5.3.7.jar:na] > at >
Re: shiro UsernamePasswordToken "RememberMe" problems
Dusko, thank you for your reply. If I use your SimplePrincipalSerializer, the rememberMe cookie is indeed created and is very small: [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Wed, 05-Mar-2014 10:31:39 GMT] [11:31:39] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added HttpServletResponse Cookie [rememberMe=Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=; Path=/; Max-Age=1209600; Expires=Thu, 20-Mar-2014 10:31:39 GMT; HttpOnly] But I get the following exception at deserialization time (sorry for the ugly wrapping): [11:32:36] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Found 'rememberMe' cookie value [Kjvu3Jysio7jGf7Xew6Rp46oiHDrDC/V00ltCDbFw4M=] [11:32:36] DEBUG [org.apache.shiro.mgt.AbstractRememberMeManager]: There was a failure while trying to retrieve remembered principals. This could be due to a configuration problem or corrupted principals. This could also be due to a recently changed encryption key. The remembered identity will be forgotten and not used for this request. org.apache.shiro.io.SerializationException: Unexpected end of ZLIB input stream at si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:85) ~[classes/:na] at si.najdi.web.util.SimplePrincipalSerializer2.deserialize(SimplePrincipalSerializer2.java:17) ~[classes/:na] at org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:514) ~[shiro-core-1.2.0.jar:1.2.0] at org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:431) ~[shiro-core-1.2.0.jar:1.2.0] at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:396) ~[shiro-core-1.2.0.jar:1.2.0] at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604) [shiro-core-1.2.0.jar:1.2.0] at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492) [shiro-core-1.2.0.jar:1.2.0] at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342) [shiro-core-1.2.0.jar:1.2.0] at $WebSecurityManager_439fe43247936.createSubject(Unknown Source) [na:na] at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846) [shiro-core-1.2.0.jar:1.2.0] at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148) [shiro-web-1.2.0.jar:1.2.0] at org.tynamo.security.services.impl.SecurityConfiguration.service(SecurityConfiguration.java:51) [tapestry-security-0.5.1.jar:0.5.1] at $HttpServletRequestFilter_439fe43247931.service(Unknown Source) [na:na] at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] at org.got5.tapestry5.jquery.services.AjaxUploadServletRequestFilter.service(AjaxUploadServletRequestFilter.java:26) [tapestry5-jquery-3.3.3.jar:na] at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] at org.apache.tapestry5.upload.internal.services.MultipartServletRequestFilter.service(MultipartServletRequestFilter.java:44) [tapestry-upload-5.3.7.jar:na] at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] at org.tynamo.resteasy.ResteasyRequestFilter.service(ResteasyRequestFilter.java:100) [tapestry-resteasy-0.3.1.jar:0.3.1] at $HttpServletRequestFilter_439fe4324792e.service(Unknown Source) [na:na] at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] at org.apache.tapestry5.internal.services.IgnoredPathsFilter.service(IgnoredPathsFilter.java:62) [tapestry-core-5.3.7.jar:na] at $HttpServletRequestFilter_439fe4324792c.service(Unknown Source) [na:na] at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] at org.apache.tapestry5.services.TapestryModule$1.service(TapestryModule.java:852) [tapestry-core-5.3.7.jar:na] at $HttpServletRequestHandler_439fe43247934.service(Unknown Source) [na:na] at $HttpServletRequestHandler_439fe4324792b.service(Unknown Source) [na:na] at org.apache.tapestry5.TapestryFilter.doFilter(TapestryFilter.java:171) [tapestry-core-5.3.7.jar:na] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1419) [jetty-servlet-8.1.9.v20130131.jar:8.1.9.v20130131] at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:206) [javamelody-core-1.43.0.jar:1.43.0] at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:179) [javamelody-core-1.43.0.jar:1.43.0] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1419) [jetty-servlet-8.1.9.v20130131.jar:8.1.9.v20130131] at com.hazelcast.web.WebFilter.doFilter(WebFilter.java:598) [hazelcast-wm-2.5.jar:2.5] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1419) [jetty-servlet-8.1.9.v20130131.jar:8.1.9.v20130131] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:455) [jet
Re: shiro UsernamePasswordToken "RememberMe" problems
Hello Lidija, could you try out this custom serializer and report back with the results? https://gist.github.com/duskote/0f8cce8d1b0d1cc56844 On Thu, Mar 6, 2014 at 10:48 AM, Lidija Dolinar wrote: > Ah, I see, you ment SimplePrincipalSerializer from the patch. > > It doesn't effect cookie size much though - it is now 4.3K instead of 4.6K > so it doesn't resolve our problem, cookie is still to big. > > Regards, > Lidija > > > On Thu, Mar 6, 2014 at 10:14 AM, Lidija Dolinar >wrote: > > > By SimplePrincipalSerializer - did you mean this one that uses Kryo? > > > http://grepcode.com/file/repo1.maven.org/maven2/org.jasig.cas/cas-server-integration-memcached/4.0.0-RC1/org/jasig/cas/ticket/registry/support/kryo/serial/SimplePrincipalSerializer.java > > > > Regards, > > Lidija > > > > > > > > On Wed, Mar 5, 2014 at 5:54 PM, Kalle Korhonen < > kalle.o.korho...@gmail.com > > > wrote: > > > >> Ah yes, the size of the default remember me cookie can grow outrageously > >> big because it uses Java serialization. That's long running issue > against > >> Shiro web (https://issues.apache.org/jira/browse/SHIRO-226). It's > simply > >> to > >> override with your own implementation - you could use the one attached > as > >> a > >> patch to the issue, then override the default CookieRememberMeManager > >> with: > >> public class LightCookieRememberMeManager extends > CookieRememberMeManager > >> { > >> public LightCookieRememberMeManager() { > >> super(); > >> setSerializer(new SimplePrincipalSerializer()); > >> } > >> } > >> > >> Kalle > >> > >> >
Re: shiro UsernamePasswordToken "RememberMe" problems
Ah, I see, you ment SimplePrincipalSerializer from the patch. It doesn't effect cookie size much though - it is now 4.3K instead of 4.6K so it doesn't resolve our problem, cookie is still to big. Regards, Lidija On Thu, Mar 6, 2014 at 10:14 AM, Lidija Dolinar wrote: > By SimplePrincipalSerializer - did you mean this one that uses Kryo? > http://grepcode.com/file/repo1.maven.org/maven2/org.jasig.cas/cas-server-integration-memcached/4.0.0-RC1/org/jasig/cas/ticket/registry/support/kryo/serial/SimplePrincipalSerializer.java > > Regards, > Lidija > > > > On Wed, Mar 5, 2014 at 5:54 PM, Kalle Korhonen > wrote: > >> Ah yes, the size of the default remember me cookie can grow outrageously >> big because it uses Java serialization. That's long running issue against >> Shiro web (https://issues.apache.org/jira/browse/SHIRO-226). It's simply >> to >> override with your own implementation - you could use the one attached as >> a >> patch to the issue, then override the default CookieRememberMeManager >> with: >> public class LightCookieRememberMeManager extends CookieRememberMeManager >> { >> public LightCookieRememberMeManager() { >> super(); >> setSerializer(new SimplePrincipalSerializer()); >> } >> } >> >> Kalle >> >>
Re: shiro UsernamePasswordToken "RememberMe" problems
By SimplePrincipalSerializer - did you mean this one that uses Kryo? http://grepcode.com/file/repo1.maven.org/maven2/org.jasig.cas/cas-server-integration-memcached/4.0.0-RC1/org/jasig/cas/ticket/registry/support/kryo/serial/SimplePrincipalSerializer.java Regards, Lidija On Wed, Mar 5, 2014 at 5:54 PM, Kalle Korhonen wrote: > Ah yes, the size of the default remember me cookie can grow outrageously > big because it uses Java serialization. That's long running issue against > Shiro web (https://issues.apache.org/jira/browse/SHIRO-226). It's simply > to > override with your own implementation - you could use the one attached as a > patch to the issue, then override the default CookieRememberMeManager with: > public class LightCookieRememberMeManager extends CookieRememberMeManager { > public LightCookieRememberMeManager() { > super(); > setSerializer(new SimplePrincipalSerializer()); > } > } > > Kalle > >
Re: shiro UsernamePasswordToken "RememberMe" problems
Ah yes, the size of the default remember me cookie can grow outrageously big because it uses Java serialization. That's long running issue against Shiro web (https://issues.apache.org/jira/browse/SHIRO-226). It's simply to override with your own implementation - you could use the one attached as a patch to the issue, then override the default CookieRememberMeManager with: public class LightCookieRememberMeManager extends CookieRememberMeManager { public LightCookieRememberMeManager() { super(); setSerializer(new SimplePrincipalSerializer()); } } Kalle On Tue, Mar 4, 2014 at 11:16 PM, Lidija Dolinar wrote: > Sorry for talking to myself :-). > > We managed to resolve the issue - the cookie was bigger than 4K. I had to > debug shiro-web since there was no warning whatsoever and browser obviously > just ignored the cookie. > > This issue is nicely explained here: > > http://shiro-user.582556.n2.nabble.com/Remember-me-problems-with-object-in-SimpleAccount-td4817122.html > > I hope this will help someone else. > > Regards, > Lidija >
Re: shiro UsernamePasswordToken "RememberMe" problems
Sorry for talking to myself :-). We managed to resolve the issue - the cookie was bigger than 4K. I had to debug shiro-web since there was no warning whatsoever and browser obviously just ignored the cookie. This issue is nicely explained here: http://shiro-user.582556.n2.nabble.com/Remember-me-problems-with-object-in-SimpleAccount-td4817122.html I hope this will help someone else. Regards, Lidija
Re: shiro UsernamePasswordToken "RememberMe" problems
I pasted shiro's debug logs below. As far as I can see two rememberMe cookies are created: one with value "deleteMe" that gets deleted immediately since Max-Age=0 and another rememberMe cookie that has expiration date 1 year from now. So why don't I see this cookie in a browser? There's a debug message "No SecurityManager available in subject context map..." Is this the reason? LOG: [09:23:46] DEBUG [org.apache.shiro.realm.AuthenticatingRealm]: AuthenticationInfo caching is disabled for info [User [address=null, birthDate=null, email=, firstName=Lidija, gender=null, lastName=Dolinar, phone=null, phoneConfirmed=null, postcode=null, town=null, username=lidija, getEducation()=null, getAreaOfInterests()=[], getOccupationStatus()=null]]. Submitted token: [org.apache.shiro.authc.UsernamePasswordToken - lidija, rememberMe=true]. [09:23:46] DEBUG [org.apache.shiro.authc.credential.SimpleCredentialsMatcher]: Performing credentials equality check for tokenCredentials of type [[B and accountCredentials of type [java.lang.String] [09:23:46] DEBUG [org.apache.shiro.authc.credential.SimpleCredentialsMatcher]: Both credentials arguments can be easily converted to byte arrays. Performing array equals comparison [09:23:46] DEBUG [org.apache.shiro.authc.AbstractAuthenticator]: Authentication successful for token [org.apache.shiro.authc.UsernamePasswordToken - lidija, rememberMe=true]. Returned account [User [address=null, birthDate=null, email=, firstName=Lidija, gender=null, lastName=Dolinar, phone=null, phoneConfirmed=null, postcode=null, town=null, username=lidija, getEducation()=null, getAreaOfInterests()=[], getOccupationStatus()=null]] [09:23:46] DEBUG [org.apache.shiro.subject.support.DefaultSubjectContext]: No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup. [09:23:46] DEBUG [org.apache.shiro.subject.support.DefaultSubjectContext]: No SecurityManager available in subject context map. Falling back to SecurityUtils.getSecurityManager() lookup. [09:23:46] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Mon, 03-Mar-2014 08:23:46 GMT] [09:23:46] DEBUG [org.apache.shiro.web.servlet.SimpleCookie]: Added HttpServletResponse Cookie [rememberMe=iK3FlPgcUbXLREWQ7numYK6zQqDzmP52U+wijS0H64c9nCeVCyuBesQp9ElroMQB6xokXjf2HP8ouDMpKc5tmX73VCXXkAKXJTW75ZPf0I2vgGHroSHOO1qk317Xc8+Pxf/yn21tWWhusD9ccxuwFlz7FUre41T8u60GYMhRZr9DalCYcsqgcy4PEvTyYvLIKlNPH0j2ZSAW+Hj3mAbOxhavE4hRtmL1q/AHTn4kqQNNpXy4GJeY+pufgcro3YLzYC83Pn5beUDk39frylyv2Ooa2gyoMYrGBzKtrzRKe5yHxPEUecbhEB/WdgsB6/7UtiwluFLw44nb3o/gayZPAg5VHhOn23mTSrh6BkKz3XYYzvOFTv42liTTOQ5XVlVWRYO3dEAH0nszrccVU6S2vbz8pshLSp9/cFpIjTgeD5hE708knoNWE2zh0MJzGHXzmc1Oan+klb9QbQzmkEp4k65jl8t8J2hUjyPYPwD0W+34y1QwW1lmS6gezgZR2IH/jCLazd4DCa+tXAj4lczBHmUUhL4bPmWPlxD3/gbZXNL7hYTRC2pa+Gb30JwLN3Eh50jniE+xoCq2s0q/HqhW1MNg4fUpAe9XB4Ha1C/jJwnGNNbj+qPUnlMxMTza7x5xdcu5pM6YzXwVAl6LFVJ8RcOdY6XOxzNkAA7RE8GFkJlbPIYVQBL9L3wcdyDocbjWiyTaAbC5yALMu4bxBOLNV9apRDwDbwk3h4MrMXlD7pyKJT16GRw4pe3kZEUYa1wJVBT/xVlpkmknhOXgBSrtYefyTpNiGe0m5KReWfO/uTxhCwJyu5nCMuJMzQf0sKWNqhskll+enmuR52K6+DoJPJljW151B+Yt0FjPnUjr9+MAkodxhRJYIJgzWtK0ywYv9/wYNyqz3IgWjtXRYNa8SyGxMiSFIuszRD7wBQCziWqxv1AN/UtVVqM03wR1i57WPwM5l8Xk4xz0QfRLsApTmVa8P+b1QeEzYQWZfZFUbyIewnIdYzr+J+80rLfvwTSg+x+b50YAMxg7xSiTGlLRDeiI1nIXrFmQZTlwe5ngOKzKtquPCnff0c5jAt61F+hQwzU9A+WNs9DxZP3J7BwP2Lw59RWedicSfVEvXIsa5/HTT5xqvueivhgLTP9F05SM9yHrvYJkMcBJnP39ss4+K3RrkGFGWuhtZjwJl67PHQ96ZRNSMIa9xmTvkiiMNUsv+2nz3pEcwBEbMEKbUeZYKlIysdRHvy22AD2apGg+mK+FMv+i7qnnHwLyT3fn4ILK3170ovMBjqiWHSM/uvu3p+XmA8YqO3X2C/DhxtftCATnKLcJmzX5um5MkYqv5s3aOqfdf7MOC/M0VSsq33T17pdQEplscAO8Hy6sYwmubE5UBy5KYR4k+OcDCf0KqYDq/KqctSfLQMNC34YBwXZ9OP0dgkVT5wm30tXLZE3bsOP+qVobIWhSrn/kSI0l17otdF+2rNANg5ylufLCSmVw7POTF9bXE1Pda6aryu6hjjlSsn1TkVHcC37ivZYyON4IB+nfRSmhSttfUVgajnnQw54iIqqPYVJSUgfwqpqhkxEYwKl9RoZsC9B+aMto2pkYYCGp8gE02aCo0nyCOkIq48obnVdTwruC0lElqb4Vx1bMFRGKs/o0h1PCxujnRSsR7a3/4vhZ+eXARsazsDxfwceItKrtE7+ZDfLqJJqO4qX7rptvzmFarLsoecH2btoYxP1WwixkW4+ocOTGQSk3b2HsG5mXGvBHDZh40Hb/UtG2gpbQvJN7HkzzR0DhhB8MWF/8geB9L1F/TT0+HuWhnZ/d57kHPT5+mV7O1GDpeRV0NBOuA31arbx++ZMQkJoJnVFGp0l0d9At3BXPjANpX6jKtkPheB3ftmLP/UEB+2g1siAqaA6XtHmIVDMq9sr29yJmIyoRjODiIGM7kM7E2WEzPCF/tDH4uaPi6lfR4VpzwiWxxlSXAJvJMcBGxta4u7KWQvosaQFMDGLR4bmrnRJzRIJoID2e7sjGqoBNXtpMho/RUNnMQAUtAD7Vz7JEIoWRDR2t0fFYVbkNhQgYGMiO0MKh9Gs/QbIFxvZqwEuQZ8V3c/Vw4qkqOjqoqmdIs/8KlqHi/Ii3H2VxvDiFzAVWWwCgf/HbPEFK2Q05XdfP5MvFwL+29sRR8PhqNoFQYUNtjn3sE9K5ISzeq4G2aOpciatU4Ye0t2i8+K0i/wQ2pkXl3o6dKefKPm5zhagJ/S603zmQZZdd8yUgGaShCVasOdHlE6B8tbkkaLEQBUf78ZKMBYomcGi3EphzwZq/iTlXGvcn5ltmCIcCA/qn/5Dd5z6vzjaspIH4aDGmNxdMT+3IXwEGLJC2I0JTAY1+1NDzrTJUvgOsSzALEvdcH2gQsfP/X9RqsDICt/tdt0JukZWjTkpwSv3fWHNAYG2NsUNodCH5XaM9wmblschZlvfDg5aXi5Q77KQMHIgQEBUmG+KMAlpVnyMFJevJwe8XRgd41Yt1W1Fi37fweAGDKgzt1NK1LigBvWmYVUo6bKrUw9FndfAy3ceK7JEiOCMd+0mcsnpWSUPQqwZm9unJP8ifyBROv7W7sFABS7zaCZwojU44rqRMX05YD52Vln7mi4P7dEpTwl3HL4ynJc1RlzLaCVYXhMuJBLRw6f4GHNxiLlU/plJLqyuaJ
Re: shiro UsernamePasswordToken "RememberMe" problems
Lenny and Kalle, thank you for your responses. On Tue, Feb 25, 2014 at 10:26 PM, Kalle Korhonen wrote: > > > Shiro makes a strong separation between remembered and authenticated use > cases. It depends on your security settings whether you want to allow > remembered only users. How should the security settings be set to allow RememberMe functionality? > The built-in Shiro rememberMe cookie is in not > secure. I've written about the topic several times. RollingTokenRealm (at > the end of http://tynamo.org/tynamo-federatedaccounts+guide) was born out > of the need to support a (more) secure rememberMe use case. (And to Lenny, > no, productionMode does not effect this functionality in any way). > You're right - I tried running the application in production mode but the effect is the same - no cookie is created in either case. I'm aware of the fact that the rememberMe cookie is not secure. Also, we're using Hibernate - as I see RollingTokenRealm currently only supports JPA. > Are you sure the cookie isn't created or it just doesn't work the way you > expected? I.e. user is not logged in. > > No, the cookie isn't created. The user logs in successfully into our web application, but there is no "rememberMe" cookie. I tried different browsers (Firefox, Chrome, IE) and platforms (Linux / Windows). Regards, Lidija
Re: shiro UsernamePasswordToken "RememberMe" problems
On Mon, Feb 24, 2014 at 11:44 PM, Lidija Dolinar wrote: > I tried "Remember Me" functionality here: > http://tynamo-federatedaccounts.tynamo.org/ (live demo webapp) but the > user > isn't remembered. > When I check the "Remember Me" checkbox and login, the cookie "rememberMe" > is created. After I close the browser and reopen it again I'm not logged > in. Am I missing something here? > Shiro makes a strong separation between remembered and authenticated use cases. It depends on your security settings whether you want to allow remembered only users. The built-in Shiro rememberMe cookie is in not secure. I've written about the topic several times. RollingTokenRealm (at the end of http://tynamo.org/tynamo-federatedaccounts+guide) was born out of the need to support a (more) secure rememberMe use case. (And to Lenny, no, productionMode does not effect this functionality in any way). > > I'm struggling with the creation of the "rememberMe" cookie. This is my > Login.java: > > public Object onActionFromJsecLoginForm() { > Subject currentUser = securityService.getSubject(); > if (currentUser == null) { > throw new IllegalStateException("Subject can`t be null"); > } > UsernamePasswordToken token = new UsernamePasswordToken(jsecLogin, > jsecPassword); > token.setRememberMe(true); > > try { > currentUser.login(token); > } > ... > } > However, the cookie "rememberMe" isn't created :-/. What am I missing? > Are you sure the cookie isn't created or it just doesn't work the way you expected? I.e. user is not logged in. Kalle
Re: shiro UsernamePasswordToken "RememberMe" problems
I believe that "remember me" works only in production mode by default. On Feb 25, 2014, at 2:44 AM, Lidija Dolinar wrote: > Hi, > > I tried "Remember Me" functionality here: > http://tynamo-federatedaccounts.tynamo.org/ (live demo webapp) but the user > isn't remembered. > > When I check the "Remember Me" checkbox and login, the cookie "rememberMe" > is created. After I close the browser and reopen it again I'm not logged > in. Am I missing something here? > > I'm struggling with the creation of the "rememberMe" cookie. This is my > Login.java: > > > public Object onActionFromJsecLoginForm() { >Subject currentUser = securityService.getSubject(); >if (currentUser == null) { > throw new IllegalStateException("Subject can`t be null"); >} > > UsernamePasswordToken token = new UsernamePasswordToken(jsecLogin, > jsecPassword); >token.setRememberMe(true); > >try { > currentUser.login(token); >} >... > } > > > This is taken from shiro documentation ( > https://shiro.apache.org/authentication.html): > > //Example using most common scenario of username/password > pair:UsernamePasswordToken token = new UsernamePasswordToken(username, > password); > //"Remember Me" built-in:token.setRememberMe(true); > > > > However, the cookie "rememberMe" isn't created :-/. What am I missing? > > > Regards, > Lidija - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
shiro UsernamePasswordToken "RememberMe" problems
Hi, I tried "Remember Me" functionality here: http://tynamo-federatedaccounts.tynamo.org/ (live demo webapp) but the user isn't remembered. When I check the "Remember Me" checkbox and login, the cookie "rememberMe" is created. After I close the browser and reopen it again I'm not logged in. Am I missing something here? I'm struggling with the creation of the "rememberMe" cookie. This is my Login.java: public Object onActionFromJsecLoginForm() { Subject currentUser = securityService.getSubject(); if (currentUser == null) { throw new IllegalStateException("Subject can`t be null"); } UsernamePasswordToken token = new UsernamePasswordToken(jsecLogin, jsecPassword); token.setRememberMe(true); try { currentUser.login(token); } ... } This is taken from shiro documentation ( https://shiro.apache.org/authentication.html): //Example using most common scenario of username/password pair:UsernamePasswordToken token = new UsernamePasswordToken(username, password); //"Remember Me" built-in:token.setRememberMe(true); However, the cookie "rememberMe" isn't created :-/. What am I missing? Regards, Lidija
Re: Shiro configuration for shiroSavedRequest cookie domain
I think I accomplished this with cookies.writeDomainCookieValue (I have to test it on a productional machine which I have no access to right now, but it works on my local machine with multiple subdomains). But now I can't delete this cookie. After the user logs in I want to redirect him/her to the url written in the cookie and then delete the cookie. No matter what I do it doesn't work: cookies.removeCookieValue("shiroSavedRequest"); - not working, cookie stays the same cookies.writeDomainCookieValue("shiroSavedRequest", "_", , 0); - also has no effect Shouldn't this delete the cookie? Regards, Lidija On Tue, Jan 28, 2014 at 3:18 PM, Lidija Dolinar wrote: > Hi, > > our web application is running on different sub-domains and we need > shiroSavedRequest cookie to be saved on domain level and not on subdomain > level. > > This is supposed to be accomplished with the following setting in > shiro.ini: > [main] > securityManager.sessionManager.sessionIdCookie.domain= > > But as I understand, I cannot configure shiro in Tapestry through > shiro.ini file. > > How else can I configure this? > > Any help would be highly appreciated. > > Regards, > Lidija > >
Shiro configuration for shiroSavedRequest cookie domain
Hi, our web application is running on different sub-domains and we need shiroSavedRequest cookie to be saved on domain level and not on subdomain level. This is supposed to be accomplished with the following setting in shiro.ini: [main] securityManager.sessionManager.sessionIdCookie.domain= But as I understand, I cannot configure shiro in Tapestry through shiro.ini file. How else can I configure this? Any help would be highly appreciated. Regards, Lidija
Re: onActivate not called / Ajax / Shiro
FlowLogix library also has a couple of solutions to deal with this: @AJAX annotation http://code.google.com/p/flowlogix/wiki/TLAJAXAnnotation that will redirect to the login screen if session has expired (among other things) and the SessionMonitor component http://code.google.com/p/flowlogix/wiki/TLSessionMonitor On Oct 30, 2013, at 3:56 AM, Andreas Fink wrote: > Hi Jens > > On Oct 28, 2013, at 19:44 , Lenny Primak wrote: > > ... > >>> The statement above would make me think that Tapestry-Security does work >>> for AJAX requests too, as onActivate() is invoked for every request for the >>> page, render or action. >> >> The way Tapestry-Securitiy filter is set up is that it prevents any page >> calls if it's not authorized, Ajax or not. >> This is the correct behavior. > > In cases like this an "AJAX ping" can help you keep the session alive. > Something along the lines of this: http://stackoverflow.com/a/12597339 > > > Cheers, > Andi. > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: onActivate not called / Ajax / Shiro
Hi Jens On Oct 28, 2013, at 19:44 , Lenny Primak wrote: ... >> The statement above would make me think that Tapestry-Security does work for >> AJAX requests too, as onActivate() is invoked for every request for the >> page, render or action. > > The way Tapestry-Securitiy filter is set up is that it prevents any page > calls if it's not authorized, Ajax or not. > This is the correct behavior. In cases like this an "AJAX ping" can help you keep the session alive. Something along the lines of this: http://stackoverflow.com/a/12597339 Cheers, Andi. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: onActivate not called / Ajax / Shiro
On Oct 28, 2013, at 8:09 AM, Thiago H de Paula Figueiredo wrote: > On Sun, 27 Oct 2013 11:44:42 -0200, Lenny Primak > wrote: > >> I don't think Tapestry-Security works for Ajax requests. >> I think it's geared more of blocking access to pages for initial load. > > I wouldn't say that before checking the source first. I say this because I had to work around this issue. Tapestry-Security will return a full page (Unauthorized) which would result in a pop-up exception. Let me elaborate. Let's say you go to a page, and it requires authentication. You authenticate, you are in. Great. Now the page is in the browser for long enough for session to expire. You are no longer authenticated. Now you click Ajax request. Tapestry-Security will redirect you to an Unauthorized page in this case. This isn't done correctly, i.e. via full page redirect. Tapestry 5.3 does not handle this case correctly, i.e. a pop-up exception instead of a redirect. I actually have a workaround for this in the FlowLogix library, via the @AJAX annotation. > >> How can you have AJAX requests for a page that's not authorized? >> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles >> JavaScript. > > I'm not following you. Tapestry 5.4 handles JavaScript errors better, so this issue doesn't exist in T5.4 > >> onActivate isn't getting called because Tapestry-Security / Shiro intercepts >> it (and denies it's permission) >> before onActivate ever gets called. > > The statement above would make me think that Tapestry-Security does work for > AJAX requests too, as onActivate() is invoked for every request for the page, > render or action. The way Tapestry-Securitiy filter is set up is that it prevents any page calls if it's not authorized, Ajax or not. This is the correct behavior. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: onActivate not called / Ajax / Shiro
On Sun, 27 Oct 2013 11:44:42 -0200, Lenny Primak wrote: I don't think Tapestry-Security works for Ajax requests. I think it's geared more of blocking access to pages for initial load. I wouldn't say that before checking the source first. How can you have AJAX requests for a page that's not authorized? Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles JavaScript. I'm not following you. onActivate isn't getting called because Tapestry-Security / Shiro intercepts it (and denies it's permission) before onActivate ever gets called. The statement above would make me think that Tapestry-Security does work for AJAX requests too, as onActivate() is invoked for every request for the page, render or action. -- Thiago H. de Paula Figueiredo Tapestry, Java and Hibernate consultant and developer http://machina.com.br - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: onActivate not called / Ajax / Shiro
I do believe your assumption is correct. > On Oct 28, 2013, at 2:51 AM, "mailingl...@j-b-s.de" > wrote: > > Hi Lenny > > Thanks for your answer. I guess my description was somehow incomplete... > > OnActivate from the "unauthorized" page is not called, that's surprising to > me. > > The user has permission to view the page in general but misses certain > functionality permissions triggered by event callback methods. My initial > failure was to show such event links at all, but that's a different story... > > Nevertheless its still possible to enter such a link URL directly in the > browser, but luckily in this case everything works as expected (redirect to > "unauthorized" page and onActivate from the unauthorized page gets called) > > As the only difference is "zone/ajax" related, I guess shiro does not handle > XHR requests correctly when rendering/redirecting, but this just an > assumption. I have to dig deeper in the shiro source > > Jens > > Von meinem iPhone gesendet > >> Am 27.10.2013 um 14:44 schrieb Lenny Primak : >> >> I don't think Tapestry-Security works for Ajax requests. >> I think it's geared more of blocking access to pages for initial load. >> How can you have AJAX requests for a page that's not authorized? >> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles >> JavaScript. >> >> onActivate isn't getting called because Tapestry-Security / Shiro intercepts >> it (and denies it's permission) >> before onActivate ever gets called. >> >>> On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote: >>> >>> Hi all! >>> >>> I have a strange problem and maybe one of you can give me a hint... >>> >>> Basically I have a table and each individual forms it's own zone and >>> can be replaced independently from each other by an eventlink (works >>> perfectly). >>> Next I added @RequiresPermissions("MyPermission:modify") on the >>> event-callback method to limit access. In case an user does not have the >>> required permissions Shiro correctly identfies it and throws an >>> OperationException("Subject does not have permission"), perfect too. >>> Unfortunately there is no redirect to the "Unauthorized" page but instead >>> the page is rendered in the "ajax dialog box" (which tapestry shows in case >>> of problems/errors). >>> >>> From the stacktrace I see >>> "SecurityExceptionHandlerAssistant.handleRequestException" is called to >>> retrieve the page name to show ("Unauthorized"). Unfortunately there is no >>> redirect to the page but instead "renderer.renderPageResponse(page)" is >>> called and surprisingly "onActivate" of my "Unauthorized" page is not >>> called at all. >>> >>> Any idea what happens and how to solve it? >>> >>> >>> Jens >>> >>> >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: onActivate not called / Ajax / Shiro
Hi Lenny Thanks for your answer. I guess my description was somehow incomplete... OnActivate from the "unauthorized" page is not called, that's surprising to me. The user has permission to view the page in general but misses certain functionality permissions triggered by event callback methods. My initial failure was to show such event links at all, but that's a different story... Nevertheless its still possible to enter such a link URL directly in the browser, but luckily in this case everything works as expected (redirect to "unauthorized" page and onActivate from the unauthorized page gets called) As the only difference is "zone/ajax" related, I guess shiro does not handle XHR requests correctly when rendering/redirecting, but this just an assumption. I have to dig deeper in the shiro source Jens Von meinem iPhone gesendet > Am 27.10.2013 um 14:44 schrieb Lenny Primak : > > I don't think Tapestry-Security works for Ajax requests. > I think it's geared more of blocking access to pages for initial load. > How can you have AJAX requests for a page that's not authorized? > Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles > JavaScript. > > onActivate isn't getting called because Tapestry-Security / Shiro intercepts > it (and denies it's permission) > before onActivate ever gets called. > >> On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote: >> >> Hi all! >> >> I have a strange problem and maybe one of you can give me a hint... >> >> Basically I have a table and each individual forms it's own zone and >> can be replaced independently from each other by an eventlink (works >> perfectly). >> Next I added @RequiresPermissions("MyPermission:modify") on the >> event-callback method to limit access. In case an user does not have the >> required permissions Shiro correctly identfies it and throws an >> OperationException("Subject does not have permission"), perfect too. >> Unfortunately there is no redirect to the "Unauthorized" page but instead >> the page is rendered in the "ajax dialog box" (which tapestry shows in case >> of problems/errors). >> >> From the stacktrace I see >> "SecurityExceptionHandlerAssistant.handleRequestException" is called to >> retrieve the page name to show ("Unauthorized"). Unfortunately there is no >> redirect to the page but instead "renderer.renderPageResponse(page)" is >> called and surprisingly "onActivate" of my "Unauthorized" page is not called >> at all. >> >> Any idea what happens and how to solve it? >> >> >> Jens >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: onActivate not called / Ajax / Shiro
I don't think Tapestry-Security works for Ajax requests. I think it's geared more of blocking access to pages for initial load. How can you have AJAX requests for a page that's not authorized? Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles JavaScript. onActivate isn't getting called because Tapestry-Security / Shiro intercepts it (and denies it's permission) before onActivate ever gets called. On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote: > Hi all! > > I have a strange problem and maybe one of you can give me a hint... > > Basically I have a table and each individual forms it's own zone and can > be replaced independently from each other by an eventlink (works perfectly). > Next I added @RequiresPermissions("MyPermission:modify") on the > event-callback method to limit access. In case an user does not have the > required permissions Shiro correctly identfies it and throws an > OperationException("Subject does not have permission"), perfect too. > Unfortunately there is no redirect to the "Unauthorized" page but instead the > page is rendered in the "ajax dialog box" (which tapestry shows in case of > problems/errors). > > From the stacktrace I see > "SecurityExceptionHandlerAssistant.handleRequestException" is called to > retrieve the page name to show ("Unauthorized"). Unfortunately there is no > redirect to the page but instead "renderer.renderPageResponse(page)" is > called and surprisingly "onActivate" of my "Unauthorized" page is not called > at all. > > Any idea what happens and how to solve it? > > > Jens > > > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
onActivate not called / Ajax / Shiro
Hi all! I have a strange problem and maybe one of you can give me a hint... Basically I have a table and each individual forms it's own zone and can be replaced independently from each other by an eventlink (works perfectly). Next I added @RequiresPermissions("MyPermission:modify") on the event-callback method to limit access. In case an user does not have the required permissions Shiro correctly identfies it and throws an OperationException("Subject does not have permission"), perfect too. Unfortunately there is no redirect to the "Unauthorized" page but instead the page is rendered in the "ajax dialog box" (which tapestry shows in case of problems/errors). From the stacktrace I see "SecurityExceptionHandlerAssistant.handleRequestException" is called to retrieve the page name to show ("Unauthorized"). Unfortunately there is no redirect to the page but instead "renderer.renderPageResponse(page)" is called and surprisingly "onActivate" of my "Unauthorized" page is not called at all. Any idea what happens and how to solve it? Jens - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Apache Shiro
Hi, there are serveral ways to do that. An easy way would be to store a user object as a principal and then do something like that: ${username} public String getUsername(){ final Subject currentUser = SecurityUtils.getSubject(); final SomeClass user; if(currentUser.getPrincipals() != null){ user = currentUser.getPrincipals().oneByType(SomeClass.class); return user.getSurename(); } else { return ""; } } With kind regards David Am 12.08.2013 09:06, schrieb Willy Browne: > I am glad i made you laugh. I know how this works with tapestry and also > would like to do/know how to do this with shiro, without using the userExists > property if there is a way. > > Gesendet über Yahoo! Mail für Android > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
AW: RE: Apache Shiro
I am glad i made you laugh. I know how this works with tapestry and also would like to do/know how to do this with shiro, without using the userExists property if there is a way. Gesendet über Yahoo! Mail für Android
RE: Apache Shiro
Haha, man, you made me so laugh!! :))I am not sure whether or not are you trolling, but you made my day bumping with this Q. on my Q. :D Hahahaha :)) I am not acquinted well enough with tapestry shiro, but as for the tapestry itself, there is a great shortcut including @Property private boolean userExists; in your java and in tml ${message:welcome} ${user.name} // here goes just login button ... ( or even register, ye ) :) So, if your user exists, just put "user exists" html code in that section, and if not, in else section. > Date: Sun, 11 Aug 2013 18:31:10 +0200 > From: llcool_wil...@yahoo.fr > To: users@tapestry.apache.org > Subject: Apache Shiro > > Hi, > i have some issues using shiro in my tapestry application. So far login > and logout work almost perfect. I have a custom logout link which is an > image but one logout text is still i guess automatically generated, so i > have my image and the "logout" text(link). how can i avoid that? > The second problem is that i would like to display a dynamic welcome > message with the surname or lastname (not the username used to login) of > the authenticated user! How can I get to this informations? there must > be an easy way, which i did'nt find. > > This is how my .tml file looks like > > > > > > class="wellcomeMessage"> > Willkommen ! > > > > > > > > > > thanks > > Will > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org >
Apache Shiro
Hi, i have some issues using shiro in my tapestry application. So far login and logout work almost perfect. I have a custom logout link which is an image but one logout text is still i guess automatically generated, so i have my image and the "logout" text(link). how can i avoid that? The second problem is that i would like to display a dynamic welcome message with the surname or lastname (not the username used to login) of the authenticated user! How can I get to this informations? there must be an easy way, which i did'nt find. This is how my .tml file looks like class="wellcomeMessage"> Willkommen ! thanks Will - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
RE: shiro on tapestry
Well its strange I see in debugger two invocations of the method and two increments of my counter. but only one lands in the database. very strange even after logout and shutdown... hitcount == 1
shiro on tapestry
Folks, i am operating shiro on tapestry. but my doGetAuthenticationInfo(...) is called twice for every currentSubject.login(...) call I cannot even implement a hit counter without the count being doubled at increment within the realm. is there a workaorund for this? or do i have to live with doubled hit counts? Thanks in advance
Re: shiro authentication
On Wed, Dec 28, 2011 at 11:01 PM, csckid wrote: > I am stuck with authenticating user from database table. > In this function doGetAuthenticationInfo() don't we need to set the Subject? > What is the purpose of SimpleAuthenticationInfo? No better source for answers than [Shiro's javadoc][1]. doGetAuthenticationInfo() returns an AuthenticationInfo. A SimpleAuthenticationInfo is an implementation of AuthenticationInfo. [Subject][2] "represents state and security operations for a single application user" as the javadoc states, so no, we don't set the subject here, but the framework repeatedly sets it up for each request. The purpose of the (Simple)[AuthenticationInfo][3] is to represent "a Subject's (aka user's) stored account information relevant to the authentication/log-in process only". The realm's responsibility is to create an AuthenticationInfo (if the user is found) and the CredentialsMatcher then compares the AuthenticationToken to AuthenticationInfo to detemine whether the given credentials are valid or not. You don't explain how you "are stuck", but assuming your findByUsername() returns an appropriate UserAccount, you probably don't have the right CredentialsMatcher configured. Perhaps you need to [set a HashedCredentialsMatcher to your realm][4]. [1]: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/AuthenticatingRealm.html [2]: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/subject/Subject.html [3]: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authc/AuthenticationInfo.html [4]: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/AuthenticatingRealm.html#setCredentialsMatcher%28org.apache.shiro.authc.credential.CredentialsMatcher%29 Kalle - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
shiro authentication
I am stuck with authenticating user from database table. In this function doGetAuthenticationInfo() don't we need to set the Subject? What is the purpose of SimpleAuthenticationInfo? package com.kids.crm.services; import java.util.HashSet; import java.util.Set; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AccountException; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.SimpleByteSource; import org.apache.tapestry5.ioc.annotations.Inject; import org.springframework.beans.factory.annotation.Autowired; import com.kids.crm.dao.DatabaseDao; import com.kids.crm.dao.UserAccountDao; import com.kids.crm.dao.impl.UserAccountDaoImpl; import com.kids.crm.db.Role; import com.kids.crm.db.UserAccount; public class UserRealm extends AuthorizingRealm { @Inject UserAccountDao userAccountDao; public UserRealm() { setName("localaccounts"); setAuthenticationTokenClass(UsernamePasswordToken.class); } private UserAccount findByUsername(String userName) { return (UserAccount) userAccountDao.getUserByUserName(userName); } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { //Subject currentUser = SecurityUtils.getSubject(); UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername(); upToken.setRememberMe(true); // Null username is invalid if (username == null) { throw new AccountException("Null usernames are not allowed by this realm."); } UserAccount user = findByUsername(username); return new SimpleAuthenticationInfo(username, user.getEncodedPassword(), new SimpleByteSource(user.getPasswordSalt()), getName()); } } -- View this message in context: http://tapestry.1045711.n5.nabble.com/shiro-authentication-tp5106945p5106945.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: shiro
On Tue, Dec 20, 2011 at 3:45 AM, csckid wrote: > public static void > contributeSecurityConfiguration(Configuration > configuration, > SecurityFilterChainFactory factory) { > > configuration.add(factory.createChain("/medicine/create").add(factory.roles(),"employee, > doctor").build()); > } > > and > @RequiresRoles(value = {"doctor", "employee"}) As Alejandro says, the default logical operation is AND, meaning you need both of the roles. You should specify @RequiresRoles(value = {"doctor", "employee"}, logical=Logical.OR) instead. If that doesn't work, open an issue. Kalle - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: shiro
I tried this public static void contributeSecurityConfiguration(Configuration configuration, SecurityFilterChainFactory factory) { configuration.add(factory.createChain("/medicine/create").add(factory.roles(),"employee, doctor").build()); } and @RequiresRoles(value = {"doctor", "employee"}) None of them worked. :( I wanted doctor and employee to access the page. But, with these code none of them were working. -- View this message in context: http://tapestry.1045711.n5.nabble.com/shiro-tp5082018p5088642.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: shiro
Hi 1) I think the first issue could be that the "/index" URL is almost never used. All the links to the Index.java page will be pointed to "/". You can try 2 things: a) rewrite your rule like this: configuration.add(factory.createChain("/").add(factory.authc()).build()); b) Add @RequiresAuthentication to your Index.java page 2) The first thing that comes to my mind is that (from the shire documentation) Order Matters! URL path expressions are evaluated against an incoming request in the order they are defined and the FIRST MATCH WINS. So…. I'd have recommended that you rewrite your rule like this: configuration.add(factory.createChain("/medicine/**").add(factory.roles(),"employee, doctor").build()); But, that wouldn't work because our current RolesAuthorizationFilter implementation works with "subject.hasAllRoles" which means that to access "/medicine/" you'd have to be both and employe AND a doctor. As a workaround you can write your own RolesAuthorizationFilter version checking for "hasAnyRoles" instead of "hasAllRoles". I don't know if there is any other option. Cheers. Alejandro. On Sat, Dec 17, 2011 at 5:12 AM, csckid wrote: > I wrote this following code to restrict the user from accessing certain > pages. Problem is it isn't working correctly. > configuration.add(factory.createChain("/index").add(factory.authc()).build()); > I wrote this code so that only authorized user view the page, But in my > program everyone can view. > > configuration.add(factory.createChain("/medicine/**").add(factory.roles(), > "employee").build()); > configuration.add(factory.createChain("/medicine/**").add(factory.roles(), > "doctor").build()); > With this code employee cannot access tml file of medicine folder but doctor > can. Why is this so? > > public static void > contributeSecurityConfiguration(Configuration > configuration, > SecurityFilterChainFactory factory) { > > > configuration.add(factory.createChain("/signin").add(factory.anon()).build()); > > configuration.add(factory.createChain("/index").add(factory.authc()).build()); > > > configuration.add(factory.createChain("/medicine/**").add(factory.roles(), > "employee").build()); > > configuration.add(factory.createChain("/prescription/**").add(factory.roles(), > "doctor").build()); > > configuration.add(factory.createChain("/medicine/**").add(factory.roles(), > "doctor").build()); > } > > > -- > View this message in context: > http://tapestry.1045711.n5.nabble.com/shiro-tp5082018p5082018.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
shiro
I wrote this following code to restrict the user from accessing certain pages. Problem is it isn't working correctly. configuration.add(factory.createChain("/index").add(factory.authc()).build()); I wrote this code so that only authorized user view the page, But in my program everyone can view. configuration.add(factory.createChain("/medicine/**").add(factory.roles(), "employee").build()); configuration.add(factory.createChain("/medicine/**").add(factory.roles(), "doctor").build()); With this code employee cannot access tml file of medicine folder but doctor can. Why is this so? public static void contributeSecurityConfiguration(Configuration configuration, SecurityFilterChainFactory factory) { configuration.add(factory.createChain("/signin").add(factory.anon()).build()); configuration.add(factory.createChain("/index").add(factory.authc()).build()); configuration.add(factory.createChain("/medicine/**").add(factory.roles(), "employee").build()); configuration.add(factory.createChain("/prescription/**").add(factory.roles(), "doctor").build()); configuration.add(factory.createChain("/medicine/**").add(factory.roles(), "doctor").build()); } -- View this message in context: http://tapestry.1045711.n5.nabble.com/shiro-tp5082018p5082018.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: tapestry-security shiro
On Thu, Dec 8, 2011 at 8:05 PM, csckid wrote: > I am trying to configure my tapestry project with tapestry-security, but > couldn't connect them. Right now I just want try it out with simple login > page. Roles user name and password will come from the database. > Is there any simple tutorial just for this? shiro-users.properties is for a properties realm (i.e. that's your simple "user database"). You want a custom realm for your database model, something like: http://svn.codehaus.org/tynamo/trunk/tynamo-federatedaccounts/tynamo-federatedaccounts-core/src/test/java/org/tynamo/security/federatedaccounts/testapp/services/UserRealm.java (you can safely ignore all the federated stuff in your use case). There are several links to this example from the main documentation page at http://tynamo.org/tapestry-security+guide. Kalle > > This is what I have done so far: > *SignIn.tml* > xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd"; > xmlns:p="tapestry:parameter"> > > > > SignIn.java > public class Signin { > @Inject > private SecurityService securityService; > > @Inject > private ApplicationStateManager applicationStateManager; > > void onActivate() { > if (securityService.getSubject().isAuthenticated() ) { > //CurrentUser currentUser = > applicationStateManager.get(CurrentUser.class); > > //currentUser.merge(securityService.getSubject().getPrincipal()); > } > > } > } > > AppModule.java > > public static void contributeWebSecurityManager(Configuration > configuration) { > ExtendedPropertiesRealm realm = new > ExtendedPropertiesRealm("classpath:shiro-users.properties"); > configuration.add(realm); > } > public static void contributeFactoryDefaults(MappedConfiguration String> > configuration) > { > > configuration.override(SecuritySymbols.LOGIN_URL, "/signin"); > > > } > public static void contributeWebSecurityManager(Configuration > configuration, @Inject AuthorizingRealm realm) > { > configuration.add(realm); > } > > public static void contributeSecurityRequestFilter( > OrderedConfiguration configuration) > { > configuration.add("index-anon", new FilterChainDefinition("/index", > "anon")); > configuration.add("signup-anon", new FilterChainDefinition("/signup", > "anon")); > configuration.add("signin-anon", new FilterChainDefinition("/signin", > "anon")); > } > > * > shiro-users.properties* > //I really don't know what to write here > user.localuser = local, admin > role.admin = user:view > > > -- > View this message in context: > http://tapestry.1045711.n5.nabble.com/tapestry-security-shiro-tp5060704p5060704.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
tapestry-security shiro
I am trying to configure my tapestry project with tapestry-security, but couldn't connect them. Right now I just want try it out with simple login page. Roles user name and password will come from the database. Is there any simple tutorial just for this? This is what I have done so far: *SignIn.tml* http://tapestry.apache.org/schema/tapestry_5_1_0.xsd"; xmlns:p="tapestry:parameter"> SignIn.java public class Signin { @Inject private SecurityService securityService; @Inject private ApplicationStateManager applicationStateManager; void onActivate() { if (securityService.getSubject().isAuthenticated() ) { //CurrentUser currentUser = applicationStateManager.get(CurrentUser.class); //currentUser.merge(securityService.getSubject().getPrincipal()); } } } AppModule.java public static void contributeWebSecurityManager(Configuration configuration) { ExtendedPropertiesRealm realm = new ExtendedPropertiesRealm("classpath:shiro-users.properties"); configuration.add(realm); } public static void contributeFactoryDefaults(MappedConfiguration configuration) { configuration.override(SecuritySymbols.LOGIN_URL, "/signin"); } public static void contributeWebSecurityManager(Configuration configuration, @Inject AuthorizingRealm realm) { configuration.add(realm); } public static void contributeSecurityRequestFilter( OrderedConfiguration configuration) { configuration.add("index-anon", new FilterChainDefinition("/index", "anon")); configuration.add("signup-anon", new FilterChainDefinition("/signup", "anon")); configuration.add("signin-anon", new FilterChainDefinition("/signin", "anon")); } * shiro-users.properties* //I really don't know what to write here user.localuser = local, admin role.admin = user:view -- View this message in context: http://tapestry.1045711.n5.nabble.com/tapestry-security-shiro-tp5060704p5060704.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: T5.1 and Tynamo Security: override a Shiro Filter
Damn, I only now find out that I have replies to my question. Kalle, I have an app that sometimes (depending on some conf init parameter) should use the typical login "inapp" sequence (tapestry login page and out of the box tapestry-shiro integration) but at other times the authentication should be handled by apache that proxies jee container and auth info is passed as XX header. So in one case I don't need any conf file at all and in the second i need a shiro.ini file to overrride default authc filter and also to mark number of URLs to be accessible by anonymous users: [main] authc=com.programeter.web.filters.RemoteUserAuhtenticationFilter [urls] /assets/**=anon /register*=anon /register/**=anon /unauthorized*=anon /unauthorized/**=anon /changepassword*=anon /changepassword/**=anon /remindpassword*=anon /remindpassword/**=anon /**=authc Kalle, thanks for raising this in Jira -> will vote and follow it! -- View this message in context: http://tapestry-users.832.n2.nabble.com/T5-1-and-Tynamo-Security-override-a-Shiro-Filter-tp5769989p6191642.html Sent from the Tapestry Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Integrating tynamo tapestry-security (apache shiro)
Hi Kalle - thanks for reply, I've created an issue for #1 http://jira.codehaus.org/browse/TYNAMO-87 <http://jira.codehaus.org/browse/TYNAMO-87>--magnus On Fri, Mar 4, 2011 at 6:23 PM, Kalle Korhonen wrote: > On Fri, Mar 4, 2011 at 1:49 AM, Magnus Kvalheim > wrote: > > This post is mostly related to tapestry-security, but I hope it's ok to > post > > here in tapestry mailing list (now that Kalle is a committer and all.. :) > ) > > So I finally decided to implement tapestry-security. Had a few bumps in > the > > road, as I will come back to, but all in all I must say it's been a > > pleasure. > > Thanks for the extensive usage report Magnus! I've used > tapestry-security in so many projects now that I now it works well but > that said, I do want it to cover *all* security use cases. > > > 1. Make tapestry-security localization aware > > When specifying urls for AccessControlFilters, either in shiro.ini or > while > > setting applicationDefaults tapestry-security does not seem to honor > > localization. > > So if I'm in accessing though /en paths - then I'm redirected to a / and > > loose the localization info. > > I have not been able to solve this yet. > > Please open a (Tynamo) issue for it and I get to it. > > > 2. shiro.ini or module configuration - I'm confused > > The tapestry-security documentation say you can configure shiro in either > > shiro.ini or in module. > > I might be wrong here, but it seems that from module you can only > configure > > redirect urls, and FilterChainDefinitions > > through contributeSecurityRequestFilter. > > You are right, currently shiro.ini is needed for configuring that. I > had made a separate jsecurity integration myself and the functionality > is available in tapestry-security 0.1.0, but that part is yet to > merged into current tapestry-security codebase (which is the result of > work from multiple contributors). I think I had even an issue opened > for it.. yes this is related: > http://jira.codehaus.org/browse/TYNAMO-76 (there's more, but I spare > you from the details). > > > 3. Problems doing logout from tapestry > > (I've just found a different post regarding this with subject: "Error > after > > logout") > > I found that when shiro is doing logout it invalidates the session in the > > end. > > You can log out alright, but you just get the ugly stack traces if > Tapestry doesn't know about it before hand. Howard by the way fixed > that already in T5.3. What you ended up doing is exactly how I've done > it in numerous samples we have for tapestry-security. As always, the > documentation could be improved... > > Kalle > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
Re: Integrating tynamo tapestry-security (apache shiro)
On Fri, Mar 4, 2011 at 1:49 AM, Magnus Kvalheim wrote: > This post is mostly related to tapestry-security, but I hope it's ok to post > here in tapestry mailing list (now that Kalle is a committer and all.. :) ) > So I finally decided to implement tapestry-security. Had a few bumps in the > road, as I will come back to, but all in all I must say it's been a > pleasure. Thanks for the extensive usage report Magnus! I've used tapestry-security in so many projects now that I now it works well but that said, I do want it to cover *all* security use cases. > 1. Make tapestry-security localization aware > When specifying urls for AccessControlFilters, either in shiro.ini or while > setting applicationDefaults tapestry-security does not seem to honor > localization. > So if I'm in accessing though /en paths - then I'm redirected to a / and > loose the localization info. > I have not been able to solve this yet. Please open a (Tynamo) issue for it and I get to it. > 2. shiro.ini or module configuration - I'm confused > The tapestry-security documentation say you can configure shiro in either > shiro.ini or in module. > I might be wrong here, but it seems that from module you can only configure > redirect urls, and FilterChainDefinitions > through contributeSecurityRequestFilter. You are right, currently shiro.ini is needed for configuring that. I had made a separate jsecurity integration myself and the functionality is available in tapestry-security 0.1.0, but that part is yet to merged into current tapestry-security codebase (which is the result of work from multiple contributors). I think I had even an issue opened for it.. yes this is related: http://jira.codehaus.org/browse/TYNAMO-76 (there's more, but I spare you from the details). > 3. Problems doing logout from tapestry > (I've just found a different post regarding this with subject: "Error after > logout") > I found that when shiro is doing logout it invalidates the session in the > end. You can log out alright, but you just get the ugly stack traces if Tapestry doesn't know about it before hand. Howard by the way fixed that already in T5.3. What you ended up doing is exactly how I've done it in numerous samples we have for tapestry-security. As always, the documentation could be improved... Kalle - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Integrating tynamo tapestry-security (apache shiro)
Hi, This post is mostly related to tapestry-security, but I hope it's ok to post here in tapestry mailing list (now that Kalle is a committer and all.. :) ) So I finally decided to implement tapestry-security. Had a few bumps in the road, as I will come back to, but all in all I must say it's been a pleasure. Using: Tapestry 5.2.4 Tapestry-Security: 0.3.1 Initially I had a custom authentication dispatcher for restricting access, and a cookie rememberme (also a dispatcher). With tapestry-security and shiro I get a feature rich authentication and authorization framework based on roles and permissions and it's been pretty strait forward to replace the dispatchers with tapestry-security. I have however decided to keep the cookie dispatcher as a fallback for the users so they don't have to reauthenticate with shiro. If such a user visits - then the user will be looked up, and logged in with shiro (now with a shiro rememberme manager). I think it's a gentle transition. I had some challenges along the way. Perhaps it can be useful for others, and it would be great for some feedback in case it can be done in a better way (or if I've just missed correct way of configuration). 1. *Make tapestry-security localization aware* When specifying urls for AccessControlFilters, either in shiro.ini or while setting applicationDefaults tapestry-security does not seem to honor localization. So if I'm in accessing though /en paths - then I'm redirected to a / and loose the localization info. I have not been able to solve this yet. 2. *shiro.ini or module configuration - I'm confused* The tapestry-security documentation say you can configure shiro in either shiro.ini or in module. I might be wrong here, but it seems that from module you can only configure redirect urls, and FilterChainDefinitions through contributeSecurityRequestFilter. For example I needed to implement my own RememberMeManager for customizing the cookie ttl (I want to set either a long lived cookie or sessioncookie depending on condition). I first tried to do this in shiro.ini: *[main]* *# Objects and their properties are defined here,* *# Such as the securityManager, Realms and anything* *# else needed to build the SecurityManager* *myRememberMeManager = com.movellas.web.security.MyCookieRemberMeManager* *securityManager.rememberMeManager = $myRememberMeManager* I can see my manager is instantiated, but somehow it's beeing discarded and the standard CookieRememberMeManager takes precedence. What I ended up doing is probably not recommended, but it works. In appmodule: */*** * * This is probably not recommended, but we need to somehow supply our own remembermanager.* * * If this is specified in shiro.ini, then it will be overridden by Tynamo's TapestryRealmSecurityManager* * * @param manager* * * @return* * */* *@Match("WebSecurityManager")* *public static WebSecurityManager decorateWebSecurityManager(WebSecurityManager manager) {* * if(manager instanceof TapestryRealmSecurityManager) { * * MyCookieRemberMeManager cmanager = new MyCookieRemberMeManager(); * * cmanager.setCipherKey(Base64.decode("##=="));* * ((TapestryRealmSecurityManager)manager).setRememberMeManager(cmanager);* * }* * return null;* *}* * * I get the reference to the security manger, but don't really decorate - just change the remembermemanger. (I also change the cipherKey.) Please let me know if someone has a better suggestion. What can be configured from shiro.ini and what can be configured in module? (It would seem like some part's of the ini configuration is just thrown away.) 3.* Problems doing logout from tapestry* (I've just found a different post regarding this with subject: "Error after logout") I found that when shiro is doing logout it invalidates the session in the end. As tapestry is using a Request service which 'shadows' the httpservletrequest and keeps an internal state, it is not informed that the session is actually invalidated elsewhere. It therefore tries to access the session and exceptions are thrown. I tried experimenting with the order of doing things, and got different exceptions. Currently I use this variant. Logout.java *Object onActivate() { * * /*** * * The order is important as shiro uses the 'real' httpsession.* * * Upon logout shiro clears session and cache and if session is already invalidated - an exception occur.* * * * * * Tapestry on the other hand uses a session facade and if the 'real' httpsession is invalidated then the facade don't know about it as it maintains it's own state.* * * This causes tapestry to fail internally.* * * * * * So the strategy is: Let shiro perform logout, then invalidate tapestry's session and catch IllegalStateException as result of it.* * */ * * //1. Logout shiro* * securityService.getSubject().logout();* * //2. Logout legacy* * if(!Validator.isBlan
Re: questions regarding tapestry, shiro, tapestry-security and the hotel-booking-demo
Thanks, Taha, that really helped, I got it working. Ron From: Taha Hafeez To: Tapestry users Sent: Wed, January 5, 2011 4:21:49 PM Subject: Re: questions regarding tapestry, shiro, tapestry-security and the hotel-booking-demo The configuration is in the AppModule particularly public static void contributeFactoryDefaults(MappedConfiguration configuration) { configuration.override(SecuritySymbols.LOGIN_URL, "/signin"); configuration.override(SecuritySymbols.SUCCESS_URL, "/search"); configuration.override(SecuritySymbols.DEFAULTSIGNINPAGE, "/signin"); configuration.override(SecuritySymbols.SHOULD_LOAD_INI_FROM_CONFIG_PATH, "false"); } and public static void contributeWebSecurityManager(Configuration configuration, @Inject AuthorizingRealm realm) { configuration.add(realm); } public static void contributeSecurityRequestFilter( OrderedConfiguration configuration) { configuration.add("assets", new FilterChainDefinition(RequestConstants.ASSET_PATH_PREFIX + "**", "anon")); configuration.add("signin", new FilterChainDefinition("/signin**", "anon"), "after:assets"); configuration.add("signup", new FilterChainDefinition("/signup**", "anon"), "after:signin"); configuration.add("secured", new FilterChainDefinition("/**", "authc"), "after:signup"); } regards Taha On Wed, Jan 5, 2011 at 1:46 PM, Ronald Luke wrote: > Hello, guys, > > I am having a very hard time trying to figure out how to use shiro in > tapestry. > > Now I'm looking at the wonderful T5 hotel-booking-demo(using tynamo's > tapestry-security) code. If a visitor is not logged in , when she goes to > the > search page, she will be redirected to the signin page. Looking at the > Search.java, I don't understand how it works. Here's the code > http://ja.gs/Ce. I > don't see any service injected which can check if user logs in and > redirect. > > Please shed some light on this. > > Thanks much. > > Ron > > >
Re: questions regarding tapestry, shiro, tapestry-security and the hotel-booking-demo
On Wed, 05 Jan 2011 06:16:43 -0200, Ronald Luke wrote: Hello, guys, Hi! Now I'm looking at the wonderful T5 hotel-booking-demo(using tynamo's tapestry-security) code. If a visitor is not logged in , when she goes to the search page, she will be redirected to the signin page. Looking at the Search.java, I don't understand how it works. Here's the code http://ja.gs/Ce. I don't see any service injected which can check if user logs in and redirect. Complementing Taha's answer: that's the beauty of its implementation and also of Tapestry: it is implemented as a RequestFilter, so you don't need any code in your pages to have them secured. The login redirection logic is implemented in a single place and invoked for each page. -- Thiago H. de Paula Figueiredo Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, and instructor Owner, Ars Machina Tecnologia da Informação Ltda. http://www.arsmachina.com.br - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: questions regarding tapestry, shiro, tapestry-security and the hotel-booking-demo
The configuration is in the AppModule particularly public static void contributeFactoryDefaults(MappedConfiguration configuration) { configuration.override(SecuritySymbols.LOGIN_URL, "/signin"); configuration.override(SecuritySymbols.SUCCESS_URL, "/search"); configuration.override(SecuritySymbols.DEFAULTSIGNINPAGE, "/signin"); configuration.override(SecuritySymbols.SHOULD_LOAD_INI_FROM_CONFIG_PATH, "false"); } and public static void contributeWebSecurityManager(Configuration configuration, @Inject AuthorizingRealm realm) { configuration.add(realm); } public static void contributeSecurityRequestFilter( OrderedConfiguration configuration) { configuration.add("assets", new FilterChainDefinition(RequestConstants.ASSET_PATH_PREFIX + "**", "anon")); configuration.add("signin", new FilterChainDefinition("/signin**", "anon"), "after:assets"); configuration.add("signup", new FilterChainDefinition("/signup**", "anon"), "after:signin"); configuration.add("secured", new FilterChainDefinition("/**", "authc"), "after:signup"); } regards Taha On Wed, Jan 5, 2011 at 1:46 PM, Ronald Luke wrote: > Hello, guys, > > I am having a very hard time trying to figure out how to use shiro in > tapestry. > > Now I'm looking at the wonderful T5 hotel-booking-demo(using tynamo's > tapestry-security) code. If a visitor is not logged in , when she goes to > the > search page, she will be redirected to the signin page. Looking at the > Search.java, I don't understand how it works. Here's the code > http://ja.gs/Ce. I > don't see any service injected which can check if user logs in and > redirect. > > Please shed some light on this. > > Thanks much. > > Ron > > >
questions regarding tapestry, shiro, tapestry-security and the hotel-booking-demo
Hello, guys, I am having a very hard time trying to figure out how to use shiro in tapestry. Now I'm looking at the wonderful T5 hotel-booking-demo(using tynamo's tapestry-security) code. If a visitor is not logged in , when she goes to the search page, she will be redirected to the signin page. Looking at the Search.java, I don't understand how it works. Here's the code http://ja.gs/Ce. I don't see any service injected which can check if user logs in and redirect. Please shed some light on this. Thanks much. Ron
Re: T5.1 and Tynamo Security: override a Shiro Filter
Follow http://jira.codehaus.org/browse/TYNAMO-67. In the one application I needed this, I'm still using tapestry-security 0.1.0 which allowed these type of contributions and was a separate and my original effort at integrating jsecurity/shiro. There were a few other interesting features and I'll merge them in over time, but don't hold your breath. Out of interest, what's your use case for it? (If it's just the dislike of the configuration file, that's fine I get it). Kalle On Thu, Nov 25, 2010 at 10:06 AM, Kalle Korhonen wrote: > Whoops. We certainly wanted to make overriding possible > programmatically. I'm on it, didn't look into the code yet but if it > doesn't currently work I'll definitely fix it. Which version of > tapestry-security are you using? > > Kalle > > On Wed, Nov 24, 2010 at 3:11 AM, anton.litvinenko > wrote: >> >> Hello! >> >> I need to override Shiro authc filter. I can do that via shiro.ini file: >> [main] >> authc=com.programeter.web.security.RemoteUserAuhtenticationFilter >> >> But I am wondering if there's way to achieve the same via XxxModule and >> configure Shiro via Tynamo Security. Tynamo has a SecurityRequestFilter >> class, but it seems that section that could help me is commented out: >> >> /* >> //Apply the acquired and/or configured filters: >> Map filters = getFilters(); >> if (!CollectionUtils.isEmpty(filters)) { >> for (Map.Entry entry : filters.entrySet()) { >> String name = entry.getKey(); >> Filter filter = entry.getValue(); >> applyGlobalPropertiesIfNecessary(filter); >> if (filter instanceof Nameable) { >> ((Nameable) filter).setName(name); >> } >> //'init' argument is false, since Spring-configured filters >> should be initialized >> //in Spring (i.e. 'init-method=blah') or implement >> InitializingBean: >> manager.addFilter(name, filter, false); >> } >> } >> */ >> >> Am I missing something? Or it is by design not permitted to override (or add >> custom) filters via Tapestry IOC? >> >> -- >> View this message in context: >> http://tapestry-users.832.n2.nabble.com/T5-1-and-Tynamo-Security-override-a-Shiro-Filter-tp5769989p5769989.html >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: T5.1 and Tynamo Security: override a Shiro Filter
Whoops. We certainly wanted to make overriding possible programmatically. I'm on it, didn't look into the code yet but if it doesn't currently work I'll definitely fix it. Which version of tapestry-security are you using? Kalle On Wed, Nov 24, 2010 at 3:11 AM, anton.litvinenko wrote: > > Hello! > > I need to override Shiro authc filter. I can do that via shiro.ini file: > [main] > authc=com.programeter.web.security.RemoteUserAuhtenticationFilter > > But I am wondering if there's way to achieve the same via XxxModule and > configure Shiro via Tynamo Security. Tynamo has a SecurityRequestFilter > class, but it seems that section that could help me is commented out: > > /* > //Apply the acquired and/or configured filters: > Map filters = getFilters(); > if (!CollectionUtils.isEmpty(filters)) { > for (Map.Entry entry : filters.entrySet()) { > String name = entry.getKey(); > Filter filter = entry.getValue(); > applyGlobalPropertiesIfNecessary(filter); > if (filter instanceof Nameable) { > ((Nameable) filter).setName(name); > } > //'init' argument is false, since Spring-configured filters > should be initialized > //in Spring (i.e. 'init-method=blah') or implement > InitializingBean: > manager.addFilter(name, filter, false); > } > } > */ > > Am I missing something? Or it is by design not permitted to override (or add > custom) filters via Tapestry IOC? > > -- > View this message in context: > http://tapestry-users.832.n2.nabble.com/T5-1-and-Tynamo-Security-override-a-Shiro-Filter-tp5769989p5769989.html > Sent from the Tapestry Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
T5.1 and Tynamo Security: override a Shiro Filter
Hello! I need to override Shiro authc filter. I can do that via shiro.ini file: [main] authc=com.programeter.web.security.RemoteUserAuhtenticationFilter But I am wondering if there's way to achieve the same via XxxModule and configure Shiro via Tynamo Security. Tynamo has a SecurityRequestFilter class, but it seems that section that could help me is commented out: /* //Apply the acquired and/or configured filters: Map filters = getFilters(); if (!CollectionUtils.isEmpty(filters)) { for (Map.Entry entry : filters.entrySet()) { String name = entry.getKey(); Filter filter = entry.getValue(); applyGlobalPropertiesIfNecessary(filter); if (filter instanceof Nameable) { ((Nameable) filter).setName(name); } //'init' argument is false, since Spring-configured filters should be initialized //in Spring (i.e. 'init-method=blah') or implement InitializingBean: manager.addFilter(name, filter, false); } } */ Am I missing something? Or it is by design not permitted to override (or add custom) filters via Tapestry IOC? -- View this message in context: http://tapestry-users.832.n2.nabble.com/T5-1-and-Tynamo-Security-override-a-Shiro-Filter-tp5769989p5769989.html Sent from the Tapestry Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: tynamo tapestry-security / shiro help
Alejandro, Would you mind posting your Realm implementation? I tried just providing a CacheManager to the constructor for AuthorizingRealm but there must be something else missing as i still have 2 problems: 1. The SimpleAccount is not being cached after the credentials have been checked (ie after doGetAuthenticationInfo) but is then being requested for the 'hasRole' check 2. I get an exception: Caused by: java.lang.IllegalArgumentException: Cache name cannot be null or empty. at org.apache.shiro.cache.AbstractCacheManager.getCache(AbstractCacheManager.java:61) at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationCacheLazy(AuthorizingRealm.java:245) at org.apache.shiro.realm.AuthorizingRealm.getAvailableAuthorizationCache(AuthorizingRealm.java:260) at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:322) at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:567) Also, could you explain how the cache entries are evicted? would this happen at exactly the time the httpsession is invalidated? Thanks, Paul. On 23/11/2010 1:28 AM, Alejandro Scandroli wrote: Hi Paul The AuthorizingRealm constructor can take a CacheManager as a parameter. In our case we use the EhCacheManager. That's all you need! Cheers. Alejandro On Fri, Nov 19, 2010 at 12:58 AM, Paul Stanton wrote: Kalle, I'm think I'm making progress however I haven't found a good guide to confirm I'm on the right track. I have a persistent User entity (db+hibernate). The user has multiple roles. I only really want to use the RequiresRoles annotation on pages (and some methods) at this point. So what I've done so far: AuthorizingRealm and my doGetAuthenticationInfo creates a SimpleAccount with the roles set populated. But once the code hits a RequiresRole annotation, the realm.doGetAuthorizationInfo is called. I don't want to go back to my persistent entity at this point since I've already told the security module about the user's roles. How do I make AuthorizingRealm cache the SimpleAccount returned from doGetAuthenticationInfo and use it for doGetAuthorizationInfo? Also, I'd expect this cache element to have the same lifecycle as the user's session, is that the case? Thanks, Paul. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: tynamo tapestry-security / shiro help
Hi Paul The AuthorizingRealm constructor can take a CacheManager as a parameter. In our case we use the EhCacheManager. That's all you need! Cheers. Alejandro On Fri, Nov 19, 2010 at 12:58 AM, Paul Stanton wrote: > Kalle, > > I'm think I'm making progress however I haven't found a good guide to > confirm I'm on the right track. > > I have a persistent User entity (db+hibernate). The user has multiple roles. > I only really want to use the RequiresRoles annotation on pages (and some > methods) at this point. > > So what I've done so far: > > AuthorizingRealm and my doGetAuthenticationInfo creates a SimpleAccount with > the roles set populated. > > But once the code hits a RequiresRole annotation, the > realm.doGetAuthorizationInfo is called. > > I don't want to go back to my persistent entity at this point since I've > already told the security module about the user's roles. > > How do I make AuthorizingRealm cache the SimpleAccount returned from > doGetAuthenticationInfo and use it for doGetAuthorizationInfo? > > Also, I'd expect this cache element to have the same lifecycle as the user's > session, is that the case? > > Thanks, Paul. > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
tynamo tapestry-security / shiro help
Kalle, I'm think I'm making progress however I haven't found a good guide to confirm I'm on the right track. I have a persistent User entity (db+hibernate). The user has multiple roles. I only really want to use the RequiresRoles annotation on pages (and some methods) at this point. So what I've done so far: AuthorizingRealm and my doGetAuthenticationInfo creates a SimpleAccount with the roles set populated. But once the code hits a RequiresRole annotation, the realm.doGetAuthorizationInfo is called. I don't want to go back to my persistent entity at this point since I've already told the security module about the user's roles. How do I make AuthorizingRealm cache the SimpleAccount returned from doGetAuthenticationInfo and use it for doGetAuthorizationInfo? Also, I'd expect this cache element to have the same lifecycle as the user's session, is that the case? Thanks, Paul. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: tapestry security with 1.1.0 of shiro --> unable to get sha512 login working.
thanks. how do i test that my configuration is working correctly? final String username = "username"; final String password = "password"; String hashedPasswordBase64 = new Sha512Hash(password).toBase64(); // ini part. Ini ini = new Ini(); Ini.Section main = ini.addSection("main"); main.put("credentialsMatcher", "org.apache.shiro.authc.credential.Sha512CredentialsMatcher"); main.put("iniRealm.credentialsMatcher", "$credentialsMatcher"); main.put("credentialsMatcher.storedCredentialsHexEncoded", "false"); Ini.Section testUsers = ini.addSection(IniRealm.USERS_SECTION_NAME); testUsers.put(username, hashedPasswordBase64); IniSecurityManagerFactory factory = new IniSecurityManagerFactory(ini); SecurityManager sm = factory.createInstance(); //try to log-in: Subject subject = new Subject.Builder(sm).buildSubject(); //ensure thread clean-up after the login method returns. Test cases only: subject.execute(new Runnable() { public void run() { SecurityUtils.getSubject().login(new UsernamePasswordToken(username, password)); } }); Assert.assertEquals(subject.getPrincipal(), username); but i have no idea , how to test salt. -- View this message in context: http://tapestry.1045711.n5.nabble.com/tapestry-security-with-1-1-0-of-shiro-unable-to-get-sha512-login-working-tp3263653p3264486.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: tapestry security with 1.1.0 of shiro --> unable to get sha512 login working.
Whoa, a plain jdbc connection, that's old school :) You are pretty close - just as a test, you could remove the salt and see if it simply comparing the hashes works - I believe it should. Now, a couple of notes: 1) Are you sure you are storing the salt as base64 encoded? Your read expects that to be so. You could easily compare the salt value only in getPasswordForUser(...) to see if you are getting back what you expected. 2) Sha512CredentialsMatcher is deprecated (though it might be the simplest way of configuring if you use an ini file) Read the whole javadoc for HashedCredentialsMatcher, it has more than you need but see this excerpt: * @deprecated since 1.1 - use the HashedCredentialsMatcher directly and set its * {...@link HashedCredentialsMatcher#setHashAlgorithmName(String) hashAlgorithmName} property. */ public class Sha512CredentialsMatcher extends HashedCredentialsMatcher { 3) Are you using T5.1.0.5? If so, use the brand new, yet unannounced tapestry-security 0.2.1 (that depends on Shiro 1.1.0). Agree this is important enough to have a decent example for it. I'm waiting to have T5.2.3 release available before making the corresponding tapestry-security release and then working out some examples with the latest Shiro. Kalle On Sat, Nov 13, 2010 at 8:05 AM, cablepuff wrote: > > So this is in my pom.xml > > I have 0.2.0 version of tynamo security excluding apache shiro > 1.0.0.incubating and instead using 1.1.0 of apache shiro. > > my save user looks like this.. > > // begin save user > RandomNumberGenerator rng = new SecureRandomNumberGenerator(); > String byteSource = rng.nextBytes().toBase64(); > String hashedPasswordBase64 = new Sha512Hash(password, > byteSource.getBytes(), 1024).toBase64(); > RegisterUser user = new RegisterUser(username, email, > hashedPasswordBase64, > byteSource); > return this.userDao.createUser(user); > // end save user. > > > inside my jdbcSaltedRealm which extends JdbcRealm. it has these code. > // begin code > protected static final String DEFAULT_AUTHENTICATION_QUERY = "select > password, passwordSalt from users where username = ?"; > > �...@override > protected SaltedAuthenticationInfo > doGetAuthenticationInfo(AuthenticationToken token) throws > AuthenticationException { > > UsernamePasswordToken upToken = (UsernamePasswordToken) token; > String username = upToken.getUsername(); > > // Null username is invalid > if (username == null) { > throw new AccountException("Null usernames are not allowed by > this realm."); > } > > Connection conn = null; > SaltedAuthenticationInfo info = null; > try { > conn = dataSource.getConnection(); > > PasswordWithSalt pws = getPasswordForUser(conn, username); > > if (pws == null) { > throw new UnknownAccountException("No account found for user > [" + username + "]"); > } > > info = buildAuthenticationInfo(username, pws.getPassword(), > pws.getSalt()); > > } catch (SQLException e) { > final String message = "There was a SQL error while > authenticating user [" + username + "]"; > if (log.isErrorEnabled()) { > log.error(message, e); > } > > // Rethrow any SQL errors as an authentication exception > throw new AuthenticationException(message, e); > } finally { > JdbcUtils.closeConnection(conn); > } > > return info; > } > > protected SaltedAuthenticationInfo buildAuthenticationInfo(String > username, String password, ByteSource passwordSalt) { > return new SimpleAuthenticationInfo(username, password, > passwordSalt, getName()); > } > > > private PasswordWithSalt getPasswordForUser(Connection conn, String > username) throws SQLException { > > PreparedStatement ps = null; > ResultSet rs = null; > String password = null; > ByteSource salt = null; > try { > ps = conn.prepareStatement(authenticationQuery); > ps.setString(1, username); > > // Execute query > rs = ps.executeQuery(); > > // Loop over results - although we are only expecting one > result, since usernames should be unique > boolean foundResult = false; > while (rs.next()) { > > // Check to ensure only one row is processed > if (foundResult) { >
tapestry security with 1.1.0 of shiro --> unable to get sha512 login working.
So this is in my pom.xml I have 0.2.0 version of tynamo security excluding apache shiro 1.0.0.incubating and instead using 1.1.0 of apache shiro. my save user looks like this.. // begin save user RandomNumberGenerator rng = new SecureRandomNumberGenerator(); String byteSource = rng.nextBytes().toBase64(); String hashedPasswordBase64 = new Sha512Hash(password, byteSource.getBytes(), 1024).toBase64(); RegisterUser user = new RegisterUser(username, email, hashedPasswordBase64, byteSource); return this.userDao.createUser(user); // end save user. inside my jdbcSaltedRealm which extends JdbcRealm. it has these code. // begin code protected static final String DEFAULT_AUTHENTICATION_QUERY = "select password, passwordSalt from users where username = ?"; @Override protected SaltedAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername(); // Null username is invalid if (username == null) { throw new AccountException("Null usernames are not allowed by this realm."); } Connection conn = null; SaltedAuthenticationInfo info = null; try { conn = dataSource.getConnection(); PasswordWithSalt pws = getPasswordForUser(conn, username); if (pws == null) { throw new UnknownAccountException("No account found for user [" + username + "]"); } info = buildAuthenticationInfo(username, pws.getPassword(), pws.getSalt()); } catch (SQLException e) { final String message = "There was a SQL error while authenticating user [" + username + "]"; if (log.isErrorEnabled()) { log.error(message, e); } // Rethrow any SQL errors as an authentication exception throw new AuthenticationException(message, e); } finally { JdbcUtils.closeConnection(conn); } return info; } protected SaltedAuthenticationInfo buildAuthenticationInfo(String username, String password, ByteSource passwordSalt) { return new SimpleAuthenticationInfo(username, password, passwordSalt, getName()); } private PasswordWithSalt getPasswordForUser(Connection conn, String username) throws SQLException { PreparedStatement ps = null; ResultSet rs = null; String password = null; ByteSource salt = null; try { ps = conn.prepareStatement(authenticationQuery); ps.setString(1, username); // Execute query rs = ps.executeQuery(); // Loop over results - although we are only expecting one result, since usernames should be unique boolean foundResult = false; while (rs.next()) { // Check to ensure only one row is processed if (foundResult) { throw new AuthenticationException("More than one user row found for user [" + username + "]. Usernames must be unique."); } password = rs.getString(1); String saltString = rs.getString(2); salt = new SimpleByteSource(Base64.decode(saltString)); foundResult = true; } } finally { JdbcUtils.closeResultSet(rs); JdbcUtils.closeStatement(ps); } return new PasswordWithSalt(password, salt); } // my appmodule is like this. public void contributeWebSecurityManager(Configuration configuration) { realm = new JdbcSaltedRealm(); realm.setDataSource(dataSource); realm.setAuthenticationQuery(AUTHENTICATION_QUERY); realm.setUserRolesQuery(USER_ROLES_QUERY); realm.setPermissionsQuery(PERMISSION_QUERY); realm.setPermissionsLookupEnabled(true); configuration.add(realm); } public void contributeApplicationDefaults(MappedConfiguration configuration) { // 1 MB max file size, 5 MB request upload size. configuration.add(SecuritySymbols.SHOULD_LOAD_INI_FROM_CONFIG_PATH, "true"); } // now my shiro.ini is like this. [main] credentialsMatcher=org.apache.shiro.authc.credential.Sha512CredentialsMatcher # base64 encoding, not hex in this example: credentialsMatcher.storedCredentialsHexEncoded=false credentialsMatcher.hashIterations=1024 now whenever i logon i keep getting wrong username and password, is their a guide or sample on how to get hashing to work with tapestry tynamo security. i could ge
Re: tynamo-security (shiro) exception
Checked out Tynamo 0.3.0-Snapshot and exception is gone. Thank you. 2010/10/25 Katia Aresti > Its normal, you have to checkout Tynamo branch ;) > > > 2010/10/25 Anton Mezerny > > > Checked out new version of Hotel booking application. There is no > > tynamo-security dependency in pom.xml at all. Am I doing something wrong? > > Anton > > > > 2010/10/25 Christophe Cordenier > > > > > Hi > > > > > > Yes it's fixed, i have update the pom.xml to use tynamo 0.3.0-SNAPSHOT > > > > > > 2010/10/25 Anton Mezerny > > > > > > > Hi all, > > > > I am playing with hotel booking application and trying to use some > > > examples > > > > from it in my project. Now I have a problem in login page - when I > try > > to > > > > login, I got > > > > shiro's cipher exception, like here: > > > > https://issues.apache.org/jira/browse/SHIRO-183 > > > > Is it fixed now? How can I upgrade to fixed version of > > > > shiro/tynamo-security? > > > > Thanks in advance. > > > > Anton > > > > > > > > > > > > > > > > -- > > > Regards, > > > Christophe Cordenier. > > > > > > Committer on Apache Tapestry 5 > > > Co-creator of wooki @wookicentral.com > > > > > >
Re: tynamo-security (shiro) exception
Its normal, you have to checkout Tynamo branch ;) 2010/10/25 Anton Mezerny > Checked out new version of Hotel booking application. There is no > tynamo-security dependency in pom.xml at all. Am I doing something wrong? > Anton > > 2010/10/25 Christophe Cordenier > > > Hi > > > > Yes it's fixed, i have update the pom.xml to use tynamo 0.3.0-SNAPSHOT > > > > 2010/10/25 Anton Mezerny > > > > > Hi all, > > > I am playing with hotel booking application and trying to use some > > examples > > > from it in my project. Now I have a problem in login page - when I try > to > > > login, I got > > > shiro's cipher exception, like here: > > > https://issues.apache.org/jira/browse/SHIRO-183 > > > Is it fixed now? How can I upgrade to fixed version of > > > shiro/tynamo-security? > > > Thanks in advance. > > > Anton > > > > > > > > > > > -- > > Regards, > > Christophe Cordenier. > > > > Committer on Apache Tapestry 5 > > Co-creator of wooki @wookicentral.com > > >
Re: tynamo-security (shiro) exception
Checked out new version of Hotel booking application. There is no tynamo-security dependency in pom.xml at all. Am I doing something wrong? Anton 2010/10/25 Christophe Cordenier > Hi > > Yes it's fixed, i have update the pom.xml to use tynamo 0.3.0-SNAPSHOT > > 2010/10/25 Anton Mezerny > > > Hi all, > > I am playing with hotel booking application and trying to use some > examples > > from it in my project. Now I have a problem in login page - when I try to > > login, I got > > shiro's cipher exception, like here: > > https://issues.apache.org/jira/browse/SHIRO-183 > > Is it fixed now? How can I upgrade to fixed version of > > shiro/tynamo-security? > > Thanks in advance. > > Anton > > > > > > -- > Regards, > Christophe Cordenier. > > Committer on Apache Tapestry 5 > Co-creator of wooki @wookicentral.com >
Re: tynamo-security (shiro) exception
Hi Yes it's fixed, i have update the pom.xml to use tynamo 0.3.0-SNAPSHOT 2010/10/25 Anton Mezerny > Hi all, > I am playing with hotel booking application and trying to use some examples > from it in my project. Now I have a problem in login page - when I try to > login, I got > shiro's cipher exception, like here: > https://issues.apache.org/jira/browse/SHIRO-183 > Is it fixed now? How can I upgrade to fixed version of > shiro/tynamo-security? > Thanks in advance. > Anton > -- Regards, Christophe Cordenier. Committer on Apache Tapestry 5 Co-creator of wooki @wookicentral.com
Re: tynamo-security (shiro) exception
What version of tapestry-security are you using in your pom.xml? On Mon, Oct 25, 2010 at 7:27 AM, Anton Mezerny wrote: > Hi all, > I am playing with hotel booking application and trying to use some examples > from it in my project. Now I have a problem in login page - when I try to > login, I got > shiro's cipher exception, like here: > https://issues.apache.org/jira/browse/SHIRO-183 > Is it fixed now? How can I upgrade to fixed version of > shiro/tynamo-security? > Thanks in advance. > Anton >
tynamo-security (shiro) exception
Hi all, I am playing with hotel booking application and trying to use some examples from it in my project. Now I have a problem in login page - when I try to login, I got shiro's cipher exception, like here: https://issues.apache.org/jira/browse/SHIRO-183 Is it fixed now? How can I upgrade to fixed version of shiro/tynamo-security? Thanks in advance. Anton