Hi Mad, For some reason I didn't see this - I'll read it and see if I can help.
On Mon, Jul 27, 2009 at 4:31 PM, mad rug<[email protected]> wrote: > Hi, > > It's over a week since this email, but no replies so far. I'm most sure I'm > missing some silly detail here. > Any help, please? > > Thanks! > > On Fri, Jul 17, 2009 at 5:55 PM, mad rug <[email protected]> wrote: >> >> Hi >> >> I just faced this strange situation, and I'm mostly sure Shiro should >> behave differently... at least I hope it can. >> >> My application is Spring based. A parent application context contains all >> business and DAO objects, with Shiro role annotations on the business >> methods. Linked to this parent there is a WAR context with my secured >> application; it uses Spring MVC, Shiro URL filter, JDBC based authentication >> and authorization, and works perfectly (protects URLs, require login when >> not authc, blocks unauthorized access, both URL and business methods). >> Now I needed to access the same parent context from another WAR context. >> This context is Servlet based (no Spring MVC), and I only needed a couple of >> beans in only one Servlet, so I didn't used IoC and retrieved the beans >> manually. Think of it as a public website, using some beans to list >> non-critical and/or public data, or store contact requests submitted through >> a contact form. >> I used the sample in the following site for this parent context: >> >> http://blog.springsource.com/2007/06/11/using-a-shared-parent-application-context-in-a-multi-war-spring-application/ >> >> My code to access the parent container is this (just got it working, and >> don't know if this is not a nice way to do it): >> BeanFactoryLocator bfl = >> ContextSingletonBeanFactoryLocator.getInstance(); >> BeanFactoryReference bfr = >> bfl.useBeanFactory("myAppParentContext"); >> BeanFactory bf = bfr.getFactory(); >> MyService bean = (MyService)bf.getBean("myBean"); >> Object x = bean.someMethodThatRequireRoles(); >> >> The service: >> public interface MyService { >> ... >> @RequiresRoles(value = "someRole") >> public Object someMethodThatRequireRoles() {...} >> } >> >> The issue is that any method accessed in these beans from the second >> (public site) context do not perform any kind of security check. I accessed >> role-restricted methods in my business beans, and no exception was thrown. I >> also checked, and they are the same bean objects used by my secure first >> context, also I was not logged in to provide authorization, and the >> role-checking methods in AuthorizingRealm were never invoked. >> >> I don't know why this is happening but I'd not like to leave it as it is. >> Is this a known scenario? How can I enable the security checks? >> If any other info/code is needed to understand this, just ask me and I'll >> post it ASAP. >> >> Thanks! > >
