Hi Les,
I didn't had code problems, I just used JSecurity 0.9 because I always avoid
to use dev codebase. As I saw that some bug fixes were already on Shiro
(SHIRO-66), I replaced JSecurity. I did little testing since this change,
but my issues remain. This is the error calling hasRole():
java.lang.IllegalStateException: Configuration error: No realms have been
configured! One or more realms must be present to execute an authorization
operation.
at
org.apache.shiro.authz.ModularRealmAuthorizer.assertRealmsConfigured(ModularRealmAuthorizer.java:149)
at
org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:308)
at
org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:182)
at
org.apache.shiro.subject.DelegatingSubject.hasRole(DelegatingSubject.java:228)
at mypackage.MyController.referenceData(MyController.java:99)
...
That's the same error, it was triggered in the same place, just that it now
throws a new exception.
And about shiro, was ehcache support removed? I couldn't locate
EhCacheManager.
Thanks
On Tue, Jul 7, 2009 at 5:06 PM, Les Hazlewood <[email protected]> wrote:
> Hi Mad,
>
> By your class names, that means you're using JSecurity 0.9.0 final and not
> using Shiro's codebase yet. Do you have any problems using the Shiro
> codebase?
>
> I ask because it would be much easier for me to play with things with the
> dev environment I already have set up centered around Shiro.
>
> Thoughts?
>
> Cheers,
>
> Les
>
>
> On Tue, Jul 7, 2009 at 3:15 PM, mad rug <[email protected]> wrote:
>
>> Hi,
>>
>> I'm facing some issues using JSecurity in my project. Authentication works
>> perfect (JDBC based login, require login for protected URLs), but
>> authorization is not.
>> I set up a JdbcRealm, following the Spring sample bundled with JSecurity.
>> Most of it is unchanged from the sample (I change it to my own URLs, custom
>> JDBC queries).
>>
>> When I debug my app and check the authenticated Subject, its
>> securityManager is using classpath:org/jsecurity/cache/ehcache/ehcache.xml
>> as config file. The first time I try to check anything involving
>> authorization, I get this:
>> 10:49:21,421 INFO [RealmSecurityManager] No Realms configured.
>> Defaulting to failsafe PropertiesRealm.
>> ...
>> 10:49:21,546 INFO [EhCacheManager] Using preconfigured EHCache named
>> [org.jsecurity.realm.text.PropertiesRealm-1-authorization]
>> 10:49:23,687 ERROR [[secureWeb]] Servlet.service() for servlet secureWeb
>> threw exception
>> java.util.NoSuchElementException
>> at java.util.Collections$EmptySet$1.next(Collections.java:2912)
>> at
>> java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1010)
>> at
>> org.jsecurity.realm.SimpleAccountRealm.getAuthorizationCacheKey(SimpleAccountRealm.java:159)
>> ...
>>
>> In my JBoss logs, I see that the security manager seems to be created
>> multiple times (the config file was read multiple times), all of getting
>> config from classpath:org/jsecurity/cache/ehcache/ehcache.xml, except one,
>> which loads my config file (classpath:myconfig-ehcache.xml). This is the
>> Spring config for my securityManager:
>> <bean id="securityManager"
>> class="org.jsecurity.web.DefaultWebSecurityManager">
>> <property name="realm" ref="jdbcRealm"/>
>> <property name="sessionMode" value="jsecurity"/>
>> <property name="cacheManager" ref="cacheManager"/>
>> </bean>
>> <bean id="cacheManager"
>> class="org.jsecurity.cache.ehcache.EhCacheManager">
>> <property name="cacheManagerConfigFile" >
>> <value>classpath:myconfig-ehcache.xml</value>
>> </property>
>> </bean>
>>
>> I believe this bean is not being injected into objects that need security
>> manager, and they are creating their own default copies, with default
>> config. For example: if I remove JSecurityFilter completely from web.xml,
>> one of these securityManager creations with default config is gone.
>> I also just found about references in web.xml inline ini
>> (securityManager.cacheManager = $cacheManager), but I couldn't refer to the
>> Spring managed bean. Do I have to repeat the cacheManager config in this
>> file (ultimately creating a second securityManager), or I can somehow refer
>> to the same object created by Spring, or vice versa? I see that there is
>> some SpringIniWebConfiguration, but I couldn't find how to use it.
>> Debugging the creation of DefaultWebSecurityManagers, some of these wrong
>> managers are created in the stack of IniWebConfiguration, so I hope the
>> Spring version can help me.
>>
>> Another approach I took: I debugged a hasRole() call to see where things
>> went wrong, and inside RealmSecurityManager.ensureRealms() no realms were
>> found, and the default PropertiesRealm was loaded. A resolved bug (SHIRO-66)
>> says it is caused by a securityManager which is a proxy (I believe it is my
>> case here, I use proxies, just don't know if the securityManager was proxied
>> as well). I'd like to avoid using Shiro before 1.0, also because I'm having
>> problems building Shiro (missing dependencies), and I prefer GA releases.
>> Can I do some workaround for this?
>>
>> Additional notes, don't know if somehow relevant:
>> - my environment: JBoss 4.2.1, JSecurity 0.9, Spring 2.5.6, DataNucleus
>> Plataform 1.1 (JDO), Java 1.6.
>> - all my libs and dependencies (Spring, JSecurity, JCaptcha...) are on
>> jboss (servers libs folder); I did it to reduce deploy size;
>> - my DAOs and Spring beans (including security manager) are defined in a
>> parent application, so that the two web projects/contexts that make the
>> whole application can share the same beans (it works nice AFAIK).
>>
>> Well, that's a lot of info. Sorry about my previous mail, I hadn't
>> properly investigated the issue. Hope I can get some help now =)
>> Guess I said all I knew about my situation. If there is some missing link,
>> please tell me.
>>
>> Thanks!
>>
>
>
