Hi
I'm using JSecurity 0.9 on my project (waiting for Shiro 1.0). My issue is
that I can't use role/permission-checking tags in my JSP pages, while I can
check them programatically and through annotations. I followed Spring sample
available with JSecurity to configure it. I couldn't propery include ehcache
configuration, and I believe that's the reason for these problems (I've seen
similar warnings about ehcache configuration on the samples as well).
This is some of the output and stacktrace in my app:
12:56:26,968 INFO [Server] JBoss (MX MicroKernel) [4.2.1.GA (build:
SVNTag=JBoss_4_2_1_GA date=200707131605)] Started in 37s:937ms
13:12:13,515 INFO [DefaultManageableImageCaptchaService] Init
com.octo.captcha.service.captchastore.FastHashMapCaptchaStore
13:12:13,703 INFO [AbstractValidatingSessionManager] Enabling session
validation scheduler...
13:12:13,734 INFO [EhCacheManager] Could not find a specific ehcache
configuration for cache named [jsecurity-activeSessionCache]; using
defaults.
13:12:13,734 INFO [EhCacheManager] Creating jsecurity-activeSessionCache
cache with default JSecurity session cache settings.
13:12:13,734 WARN [Cache] An API change between ehcache-1.1 and ehcache-1.2
results in the persistence path being set to java.io.tmpdir when the
ehcache-1.1 constructor is used. Please change to the 1.2 constructor
13:12:13,734 WARN [DiskStore] Data in persistent disk stores is ignored for
stores from automatically created directories (they start with
ehcache_auto_created).
Remove diskPersistent or resolve the conflicting disk paths in cache
configuration.
Deleting data file jsecurity-activeSessionCache.data
13:12:13,734 INFO [EhCacheManager] Started EHCache named
[jsecurity-activeSessionCache]
13:12:13,734 INFO [CookieAttribute] Found string value
[9D681E035681518A98723174C282128A] from HttpServletRequest Cookie
[JSESSIONID]
<<<<<secured method called, with proper user authenticated>>>>>
13:12:59,656 INFO [STDOUT] OUTPUT INSIDE SECURED METHOD, USING ANNOTATIONS
<<<<<same secured method called, with user without 'admin' role>>>>>
13:13:39,250 ERROR [[secureWeb]] Servlet.service() for servlet secureWeb
threw exception
org.jsecurity.authz.UnauthorizedException: Subject does not have role
[admin]
at
org.jsecurity.authz.ModularRealmAuthorizer.checkRole(ModularRealmAuthorizer.java:300)
at
org.jsecurity.mgt.AuthorizingSecurityManager.checkRole(AuthorizingSecurityManager.java:255)
at
org.jsecurity.subject.DelegatingSubject.checkRole(DelegatingSubject.java:230)
at mypackage.MyFormController.onSubmit(LoginController.java:83)
at
org.springframework.web.servlet.mvc.SimpleFormController.processFormSubmission(SimpleFormController.java:267)
...
13:14:00,625 INFO [RealmSecurityManager] No Realms configured. Defaulting
to failsafe PropertiesRealm.
13:14:00,671 INFO [AuthorizingRealm] No cache or cacheManager properties
have been set. Authorization caching is disabled.
13:14:00,671 INFO [EhCacheManager] Could not find a specific ehcache
configuration for cache named
[org.jsecurity.realm.text.PropertiesRealm-1-authorization]; using defaults.
13:14:00,671 INFO [EhCacheManager] Started EHCache named
[org.jsecurity.realm.text.PropertiesRealm-1-authorization]
13:14:00,671 INFO [PropertiesRealm] Unable to find a
jsecurity-users.properties file at location
[classpath:jsecurity-users.properties]. Defaulting to JSecurity's failsafe
properties file (demo use only).
13:14:12,078 INFO [EhCacheManager] Using preconfigured EHCache named
[org.jsecurity.realm.text.PropertiesRealm-1-authorization]
13:14:12,156 ERROR [[jsp]] Servlet.service() for servlet jsp threw exception
java.util.NoSuchElementException
at java.util.Collections$EmptySet$1.next(Collections.java:2912)
at
java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
at
org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:159)
at
org.jsecurity.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:267)
at
org.jsecurity.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:507)
at
org.jsecurity.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:256)
at
org.jsecurity.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:240)
at
org.jsecurity.subject.DelegatingSubject.hasRole(DelegatingSubject.java:213)
at org.jsecurity.web.tags.HasRoleTag.showTagBody(HasRoleTag.java:33)
at org.jsecurity.web.tags.RoleTag.onDoStartTag(RoleTag.java:46)
at org.jsecurity.web.tags.SecureTag.doStartTag(SecureTag.java:53)
at
org.apache.jsp.WEB_002dINF.jsp.web.login_jsp._jspx_meth_jsecurity_005fhasRole_005f0(login_jsp.java:850)
...
This error stack was caused by <jsecurity:hasRole>. What I could see through
debugging is that my JdbcRealm is replaced by PropertiesRealm when some
authorization check is performed. The user performs login using JdbcRealm as
I configured (with custom queries), but the PropertiesRealm is used when
checking the role.
Could it really just an ehcache issue? I still couldn't make JSecurity cache
load the config xml file.
Some environment info: Java 1.6.0 13, JBoss AS 4.2.1, Spring 2.5.6, Spring
MVC, JSecurity 0.9.
Thanks!
