Hi Mad, By your class names, that means you're using JSecurity 0.9.0 final and not using Shiro's codebase yet. Do you have any problems using the Shiro codebase?
I ask because it would be much easier for me to play with things with the dev environment I already have set up centered around Shiro. Thoughts? Cheers, Les On Tue, Jul 7, 2009 at 3:15 PM, mad rug <[email protected]> wrote: > Hi, > > I'm facing some issues using JSecurity in my project. Authentication works > perfect (JDBC based login, require login for protected URLs), but > authorization is not. > I set up a JdbcRealm, following the Spring sample bundled with JSecurity. > Most of it is unchanged from the sample (I change it to my own URLs, custom > JDBC queries). > > When I debug my app and check the authenticated Subject, its > securityManager is using classpath:org/jsecurity/cache/ehcache/ehcache.xml > as config file. The first time I try to check anything involving > authorization, I get this: > 10:49:21,421 INFO [RealmSecurityManager] No Realms configured. Defaulting > to failsafe PropertiesRealm. > ... > 10:49:21,546 INFO [EhCacheManager] Using preconfigured EHCache named > [org.jsecurity.realm.text.PropertiesRealm-1-authorization] > 10:49:23,687 ERROR [[secureWeb]] Servlet.service() for servlet secureWeb > threw exception > java.util.NoSuchElementException > at java.util.Collections$EmptySet$1.next(Collections.java:2912) > at > java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010) > at > org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:159) > ... > > In my JBoss logs, I see that the security manager seems to be created > multiple times (the config file was read multiple times), all of getting > config from classpath:org/jsecurity/cache/ehcache/ehcache.xml, except one, > which loads my config file (classpath:myconfig-ehcache.xml). This is the > Spring config for my securityManager: > <bean id="securityManager" > class="org.jsecurity.web.DefaultWebSecurityManager"> > <property name="realm" ref="jdbcRealm"/> > <property name="sessionMode" value="jsecurity"/> > <property name="cacheManager" ref="cacheManager"/> > </bean> > <bean id="cacheManager" > class="org.jsecurity.cache.ehcache.EhCacheManager"> > <property name="cacheManagerConfigFile" > > <value>classpath:myconfig-ehcache.xml</value> > </property> > </bean> > > I believe this bean is not being injected into objects that need security > manager, and they are creating their own default copies, with default > config. For example: if I remove JSecurityFilter completely from web.xml, > one of these securityManager creations with default config is gone. > I also just found about references in web.xml inline ini > (securityManager.cacheManager = $cacheManager), but I couldn't refer to the > Spring managed bean. Do I have to repeat the cacheManager config in this > file (ultimately creating a second securityManager), or I can somehow refer > to the same object created by Spring, or vice versa? I see that there is > some SpringIniWebConfiguration, but I couldn't find how to use it. > Debugging the creation of DefaultWebSecurityManagers, some of these wrong > managers are created in the stack of IniWebConfiguration, so I hope the > Spring version can help me. > > Another approach I took: I debugged a hasRole() call to see where things > went wrong, and inside RealmSecurityManager.ensureRealms() no realms were > found, and the default PropertiesRealm was loaded. A resolved bug (SHIRO-66) > says it is caused by a securityManager which is a proxy (I believe it is my > case here, I use proxies, just don't know if the securityManager was proxied > as well). I'd like to avoid using Shiro before 1.0, also because I'm having > problems building Shiro (missing dependencies), and I prefer GA releases. > Can I do some workaround for this? > > Additional notes, don't know if somehow relevant: > - my environment: JBoss 4.2.1, JSecurity 0.9, Spring 2.5.6, DataNucleus > Plataform 1.1 (JDO), Java 1.6. > - all my libs and dependencies (Spring, JSecurity, JCaptcha...) are on > jboss (servers libs folder); I did it to reduce deploy size; > - my DAOs and Spring beans (including security manager) are defined in a > parent application, so that the two web projects/contexts that make the > whole application can share the same beans (it works nice AFAIK). > > Well, that's a lot of info. Sorry about my previous mail, I hadn't properly > investigated the issue. Hope I can get some help now =) > Guess I said all I knew about my situation. If there is some missing link, > please tell me. > > Thanks! >
