Shiro's filters can filter remote invocations only: 1) You use an HTTP-based remoting 2) Whatever client mechanism you use to execute the remote invocation sets the session ID as a cookie in the request header.
#2 is _not_ done automatically for you by the client SecureRemoteInvocationFactory (SRIF). The SRIF does not know about transport protocol, so it has no way of setting a cookie (protocol specific function). So the only way, out of the box, to use the filters for http-based remoting is to ensure that you're using a remoting mechanism that supports cookies. This would work if you used the Jakarta Commons HttpClient as the Spring HTTP remoting executor. The only other requirement is that you have to start a session or log in with the client application first so that the HttpClient could remember the session ID cookie resulting from the login. How does your application's authentication work? Do you log in via a web page and then launch the desktop application (e.g. Java Webstart or Adobe Air)? Or does the application start first and the user authenticates via the desktop application? On Tue, Dec 22, 2009 at 2:55 AM, Jason Eacott <[email protected]> wrote: > I think filters should be workable as described in previous posts in this > thread, but I'm still not sure what you are actually trying to accomplish > that cant be done by the SecureRemoteInvocationExecutor. > > > > Narcom wrote: >> >> so you confirm that [filters] do not work with Spring Remoting and instead >> of >> create custom filter I should look at subclassing/implementing >> SecureRemoteInvocationExecutor ? >> >> >> >> Jason Eacott wrote: >>> >>> they can be (if configured to use a servlet (its normal) >>> and a servlet filter could be made to work (this is how spring security >>> implements theirs for example), but it seems like doubling up on the same >>> task to me since there is already the SecureRemoteInvocationExecutor >>> >>> >>> Narcom wrote: >>>> >>>> I use Spring HTTP-based remoting. >>>> client example: >>>> <bean id="sampleManager" >>>> >>>> class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean"> >>>> <property name="serviceUrl" >>>> >>>> value="http://localhost:8084/SpringRemoting/remoting/secure/sampleManager"/> >>>> <property name="serviceInterface" >>>> value="my.samples.shiro.spring.SampleManager"/> >>>> <property name="remoteInvocationFactory" >>>> ref="secureRemoteInvocationFactory"/> >>>> </bean> >>>> >>>> <bean id="secureRemoteInvocationFactory" >>>> >>>> class="org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory"/> >>>> >>>> As I understand Spring remoting based on servlet technology? >>>> >>>> >>>> Les Hazlewood-3 wrote: >>>>> >>>>> The filters only work for an incoming servlet request. Are you using >>>>> HTTP-based remoting? Or Java RMI or some other mechanism? >>>>> >>> >> >
