Hi Lucian, 1. I'm trying to use Shiro as a means to authenticate users for my web > application. The business tier will be done using EJB 3 (stateless > session > beans and entity bean), fronted by a Jersey REST service. The client will > be a web application, with passing in username/password using a basic html > form. > > 2. In the web.xml, the config param-value for the ShiroFilter, I have: > > [main] > realmFactory.class = org.apache.shiro.realm.jndi.JndiRealmFactory > realmFactory.jndiNames = jdbc/myproject/DataSource > > [filters] > authc = FormAuthenticationFilter > authc.loginUrl = /login.html > > Is this correct?
Pretty close, but not quite. The realmFactory is a factory for Realms. So the jndi RealmFactory must be able to look up a Realm instance from JNDI - not a DataSource. The way to accomplish this is to instantiate and bind the org.apache.shiro.realm.jdbc.JdbcRealm in to JNDI. The jndiNames needs to be the name under which you bound the JdbcRealm. This could be easily done by subclassing the JdbcRealm to a custom subclass and using a JEE annotation so it can be used as an @Resource. The name you assign to it is the name that is used in the 'jndiNames' property. for example: [main] realmFactory.class = org.apache.shiro.realm.jndi.JndiRealmFactory realmFactory.jndiNames = realms/MyJdbcRealm However, I don't believe there is support to easily pull _any_ object out of JNDI such as just a DataSource. That sounds like what you might be looking for based on your example. However, this would be really easy to implement and very convenient for many JEE users - please add a Jira issue so we can add it in 1.0. 3. So would I be placing the method, authenticateUser, inside my session > bean class? If it is, then calling > SecurityUtils.getSubject() will use the JNDI datasource setup in the > web.xml to get the user? Yep, exactly. > I read that the default query string is "select > password from users where username = ?". What if my database has users > table slightly different than the default value? How would I go about > overriding the default query string? You can change it as an attribute on the JdbcRealm instance: setAuthenticationQuery setUserRolesQuery setPermissionsQuery etc. Cheers, Les
