I have now confirmed that the new servlet _is_ handled by the tapestry filter,
but yet SecurityUtil.getSubject() still isn't working properly.
I believe that tapestry and tap-security is completely ignoring my servlet
and thus none of the Shiro's configuration is getting in there.
The question
This is really simple to reproduce:
In any tap-security enabled Tapestry application, and any servlet 3.0-compliant
container,
put this new file, and try to access it,
the console log will show that getSubject() is not working properly,
even though the app is logged in and has a proper session.
Furthermore, in my servlet method,
This WORKS: WebSubject subject = new WebSubject.Builder(mgr,
getThreadLocalRequest(), getThreadLocalResponse()).buildWebSubject();
but this does NOT:
Subject subj = SecurityUtils.getSubject();
I traced down into this (SecurityConfiguration.java)
What I found out that Servlet 3.0 objects (annotated with @WebServlet and their
derivatives)
do not get the Shiro filter that's instantiated via tapestry-security.
SecurityUtils.getSubject() does not work therefore.
So the question becomes how do I get an instance of whatever's initialized by
On Wed, Sep 7, 2011 at 9:55 PM, Lenny Primak lpri...@hope.nyc.ny.us wrote:
What I found out that Servlet 3.0 objects (annotated with @WebServlet and
their derivatives)
do not get the Shiro filter that's instantiated via tapestry-security.
SecurityUtils.getSubject() does not work therefore.
The servlet is not handled by tapestry filter. I am not sure why, actually,
as I am trying to declare it in web.xml as a workaround now.
tapestry is handling all tap pages and even JSP pages for the old web site,
including all security paths, but not the servlet.
Thanks for your help!
On Sep 8,
Ok, I am getting a bit more of a handle on this problem...
No matter what I do, my servlet is not getting filtered by tapestry filter.
I tried it all in web.xml, to no avail. Tapestry JSP pages do work perfectly.
On Sep 8, 2011, at 1:15 AM, Kalle Korhonen wrote:
On Wed, Sep 7, 2011 at 9:55