Hi, It's over a week since this email, but no replies so far. I'm most sure I'm missing some silly detail here. Any help, please?
Thanks! On Fri, Jul 17, 2009 at 5:55 PM, mad rug <[email protected]> wrote: > Hi > > I just faced this strange situation, and I'm mostly sure Shiro should > behave differently... at least I hope it can. > > My application is Spring based. A parent application context contains all > business and DAO objects, with Shiro role annotations on the business > methods. Linked to this parent there is a WAR context with my secured > application; it uses Spring MVC, Shiro URL filter, JDBC based authentication > and authorization, and works perfectly (protects URLs, require login when > not authc, blocks unauthorized access, both URL and business methods). > Now I needed to access the same parent context from another WAR context. > This context is Servlet based (no Spring MVC), and I only needed a couple of > beans in only one Servlet, so I didn't used IoC and retrieved the beans > manually. Think of it as a public website, using some beans to list > non-critical and/or public data, or store contact requests submitted through > a contact form. > I used the sample in the following site for this parent context: > > http://blog.springsource.com/2007/06/11/using-a-shared-parent-application-context-in-a-multi-war-spring-application/ > > My code to access the parent container is this (just got it working, and > don't know if this is not a nice way to do it): > BeanFactoryLocator bfl = > ContextSingletonBeanFactoryLocator.getInstance(); > BeanFactoryReference bfr = > bfl.useBeanFactory("myAppParentContext"); > BeanFactory bf = bfr.getFactory(); > MyService bean = (MyService)bf.getBean("myBean"); > Object x = bean.someMethodThatRequireRoles(); > > The service: > public interface MyService { > ... > @RequiresRoles(value = "someRole") > public Object someMethodThatRequireRoles() {...} > } > > The issue is that any method accessed in these beans from the second > (public site) context do not perform any kind of security check. I accessed > role-restricted methods in my business beans, and no exception was thrown. I > also checked, and they are the same bean objects used by my secure first > context, also I was not logged in to provide authorization, and the > role-checking methods in AuthorizingRealm were never invoked. > > I don't know why this is happening but I'd not like to leave it as it is. > Is this a known scenario? How can I enable the security checks? > If any other info/code is needed to understand this, just ask me and I'll > post it ASAP. > > Thanks! >
