Hi, I have a pretty special setup for shiro and I'm having a problem i can't solve. I can login perfectly via soap webservice sending userName and password and retrieve a sessionId. Then i can call another webservice wich retrieves the logedIn user (Object) from the sessionId. All the permissions are checked and cleared by my SecurityInterceptor and the responce is successfull. (this method doesn't require authentication) But when i call the updateUser(sessionId, user) i get a Subject.isAuthenticated() false in the SecurityInterceptor and have to throw an AuthenticationException
The subject binding is done by a soapHandler wich retrieves the session corresponding to the sessionId provided, construct a subject and then bind it to the threadContext. I don't understand why i get this erratic behavior from Subject.isAuthenticated() i don't see any problems while retrieving the session in the SessionIdHandler (the soap call is not passed to the service in this case) It seems to me that subject.isAuthenticated() is false when retrieving a session by sessionId. Is this so? how can i instruct shiro to keep the state of authenticated? The setup: sourceforge_code <http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/> Glassfish 4 Ejb webservice/Soap (no web.xml) Shiro is started in a SecurityProducer @Singleton based on link <http://czetsuya-tech.blogspot.com.ar/2012/10/how-to-integrate-apache-shiro-with.html#.UsdA_rSJ5Po> shiro.ini [main] filter =com.ursula.beans.auth.shiro.UrsulaFilter eaoRealm = com.ursula.beans.auth.shiro.EaoRealm cacheManager=org.apache.shiro.cache.ehcache.EhCacheManager eaoRealm.cacheManager=$cacheManager securityManager.realms = $eaoRealm [urls] /*=ssl[8181] //Part of UserBean.java subject is @Injected from the SecurityProducer public String login(String user, String pass) { log.info("LoginBean.login"); log.info("procedo a autenticar el usuario user={" + user+ "}, password={" + pass +"}"); UserToken token = new UserToken(user, pass); subject.login(token);//org.apache.shiro.session.UnknownSessionException: There is no session with id [d59cd917-e734-4ef6-9acc-fbfca1474180] String sessionId = subject.getSession().getId().toString(); UserToken tk = getTokenLogueado(); Usuario usuario = tk.getUsuario(); subject.getSession().setAttribute(USUARIO_ATTRIBUTE, usuario); log.info("devuelvo la sessionId: " + sessionId); return sessionId; } /** * @author Edward P. Legaspi * @since Oct 10, 2012 Produces an instance of Shiro's subject so that it can be * injected. */ /** * Clase que produce un objeto de tipo Subject para que pueda ser injectado con la anotacion @Inject Subject * @author Tomas ini * */ @Startup @Singleton public class SecurityProducer { private SecurityManager securityManager; private Logger log=LoggerFactory.getLogger(SecurityProducer.class); @PostConstruct public void init() { System.out.println("SecurityProducer.init()"); String iniFile =SecurityInterceptor.class.getResource("/META-INF/shiro.ini").toExternalForm();//ok! securityManager = new IniSecurityManagerFactory( iniFile).getInstance(); log.info("Initializing Shiro INI SecurityManager using " + iniFile); SecurityUtils.setSecurityManager(securityManager);//Esto lo agrega como una referencia estatica de SecurityUtils. si lo corro mas de una vez se pierden las sessiones. } @Produces @Named("securityManager") public SecurityManager getSecurityManager() { System.out.println("securityManager en SecurityProducer es "+securityManager); return securityManager; } @Produces public Subject getSubject() { return SecurityUtils.getSubject(); } } /** * Handler que se puede agregar a un servcio para que maneje la adjudicacion de * una session a un thread cuando se encuentra el paramentro session_id * * @author Tomas ini * */ public class SessionIdHandler implements SOAPHandler<SOAPMessageContext> { static final String META_INF_HANDLERS_XML = "/META-INF/handlers.xml"; private static final String THREAD_STATE = "threadState"; private static final Logger log = LoggerFactory .getLogger(SessionIdHandler.class); @EJB @Named("securityManager") SecurityManager securityManager; public boolean handleMessage(SOAPMessageContext mc) { log.info("SessionIdHandler.handleMessage()"); Boolean outbound = (Boolean) mc .get(MessageContext.MESSAGE_OUTBOUND_PROPERTY); if (!outbound) { System.out.println("SessionIdHandler Inbound soap Message"); try { System.out.println("securityManager en sessionIdHandler es "+securityManager); Builder builder = (new Subject.Builder(securityManager)); final SOAPMessage message = mc.getMessage(); final SOAPBody body = message.getSOAPBody(); NodeList element = body.getElementsByTagName(LoginService.SESSION_ID_PARAM); if (element.item(0) != null) {//si tiene el parametro sessionId System.out.println("SessionIdHandler Message has sessionId param"); String sessionId = element.item(0).getTextContent(); try{//trato de recuperar la session a partir del sessionId SessionKey sK = new DefaultSessionKey(sessionId); Session session = securityManager.getSession(sK); if(session == null){ System.out.println("Session does not exist"); return false; } else {//la session se creo correctamente System.out.println("OK Session recovered succesfully!!"); builder.sessionCreationEnabled(false); builder.session(session); } }catch(SessionException se){//no se pudo crear la session a partir del session id System.out.println("securityManager.getSession(sK); produced SessionException "+se.getClass().getSimpleName()+" "+ se.getMessage()); return false; } } else {//si no tiene el parametro sessionId System.out.println("SessionIdHandler Message doesn't have sessionId param"); System.out.println("binding a new subject to the thread"); builder.sessionCreationEnabled(true); } //a partir de aca tengo el builder configurado para crear un subject. ya sea a partir de una session existente o creando una nueva. Subject subject = builder.buildSubject(); ThreadState threadState = new SubjectThreadState(subject); threadState.bind(); mc.put(THREAD_STATE, threadState);// pongo el threadstate en el context para liberarlo a la salida } catch (SOAPException e) { log.info("SOAPException = " + e.getMessage()); return false; } } else {// Cuando el mensaje es de salida aprobecho para limpiar el threadstate. ThreadState threadState = (ThreadState) mc.get(THREAD_STATE); if (threadState != null) { System.out.println("limpiando el threadstate "+threadState); // threadState.clear(); } } return true; } public Set<QName> getHeaders() { return Collections.emptySet(); } public void close(MessageContext mc) { } public boolean handleFault(SOAPMessageContext mc) { System.out.println("SessionIdHandler.handleFault"); return true; } } @Stateless @LocalBean// esto hace que implemente la interfaz no view @WebService @HandlerChain(file = SessionIdHandler.META_INF_HANDLERS_XML)// ok! public class LoginService { // constante que usa el handler para leer el mensaje y vincular el usuario // con el thread debe ser igual que @WebParam(name="session_id") public static final String SESSION_ID_PARAM = "session_id"; @EJB UserBean uBean; /** * Default constructor. */ public LoginService() { } /** * @return sessionId debe ser el primer parametro de todas las otras * consultas o pasado como atributo de la consulta. * @throws ServiceException */ public String login(@WebParam(name = "user") String user, @WebParam(name = "pass") String pass) throws ServiceException { if (uBean != null) { String resp = "no se puede loguear"; try { resp = uBean.login(user, pass); } catch (Exception e) { resp = "excepcion"; e.printStackTrace(); throw new ServiceException("AuthenticationException",e); } return resp; } return "no uBean"; } public String logout(@WebParam(name = SESSION_ID_PARAM) String session_id) { return uBean.logout(); } /** * se carga un user_pass_mail_token con fecha de vencimiento y un usr_id en * blanco; estado = solicitud */ public boolean requestUserToken( @WebParam(name = "usr_name") String usr_name, @WebParam(name = "usr_mail") String usr_mail, @WebParam(name = "locale") Locale locale) { UserToken token = new UserToken(); token.setUsrName(usr_name); token.setUsrMail(usr_mail); token.setLocale(locale); if (uBean != null) { uBean.requestUserToken(token); } return true; } public UserToken getUserToken(@WebParam(name = LoginService.SESSION_ID_PARAM) String session_id) { return null; } /** * metodo que permite al usuari cambiar su token de acceso por uno nuevo * @param session_id * @param user * @param pass * @return true si se pudo cambiar el token */ public Boolean updateToken(@WebParam(name = LoginService.SESSION_ID_PARAM) String session_id, @WebParam(name = "user") String user, @WebParam(name = "pass") String pass) { final UserToken token = new UserToken(); token.setUsrName(user); token.setUsrPass(pass); uBean.updateToken(token); return true; } } /** * @author Edward P. Legaspi * @since Oct 10, 2012 * */ /** * clase a la que se llama cuando se invoca un metodo anotado @Secured la misma * verifica que el Subject invocante tenga los permisos requeridos por el metodo * * solo puede interceptar beans normales nada de webservices o webservlets.. * etc, para eso estan los filters * * @author Tomas ini * */ @Secured @Interceptor public class SecurityInterceptor { @Inject private Subject subject; private Logger log = LoggerFactory.getLogger(SecurityInterceptor.class); @AroundInvoke public Object interceptGet(InvocationContext ctx) throws Exception { subject = SecurityUtils.getSubject(); final Class<? extends Object> runtimeClass = ctx.getTarget().getClass(); // Check if user is authenticated boolean requiresAuthentication = false; try { // check method first Annotation a = ctx.getMethod().getAnnotation( RequiresAuthentication.class); if (a != null) { requiresAuthentication = true; } } catch (NullPointerException e) { requiresAuthentication = false; } if (!requiresAuthentication) { // then check class level try { if (runtimeClass != null) { Annotation a = runtimeClass .getAnnotation(RequiresAuthentication.class); if (a != null) { requiresAuthentication = true; } } else { throw (new NullPointerException()); } } catch (NullPointerException e) { requiresAuthentication = false; } } if (requiresAuthentication) { log.info("[security] checking for authenticated user."); try { if (!subject.isAuthenticated()) {//THIS FAILS SOMETIMES System.out.println("subject.isAuthenticated es false entoces respondo AuthorizationException"); log.info("[security] user not authenticated."); throw new AuthorizationException(); }else{ log.info("OK!! subject is authenticated"); } } catch (Exception e) { log.info("Access denied - {}: {}" + e.getClass().getName() + e.getMessage()); throw e; } } /************************************************************/ // check if user has roles boolean requiresRoles = false; List<String> listOfRoles = null; try { // check method first RequiresRoles roles = ctx.getMethod().getAnnotation( RequiresRoles.class); listOfRoles = Arrays.asList(roles.value()); requiresRoles = true; } catch (NullPointerException e) { requiresRoles = false; } if (!requiresRoles || listOfRoles == null) { // check class try { RequiresRoles roles = runtimeClass .getAnnotation(RequiresRoles.class); listOfRoles = Arrays.asList(roles.value()); requiresRoles = true; } catch (NullPointerException e) { requiresRoles = false; } } if (requiresRoles && listOfRoles != null) { log.info("[security] checking for roles."); try { boolean[] boolRoles = subject.hasRoles(listOfRoles); boolean roleVerified = false; for (boolean b : boolRoles) { if (b) { roleVerified = true; break; } } if (!roleVerified) { throw new javax.ejb.EJBException( "Access denied. User doesn't have enough privilege Roles:" + listOfRoles + " to access this page."); } } catch (Exception e) { log.info("Access denied - {}: {}" + e.getClass().getName() + e.getMessage()); throw e; } } /************************************************************/ // and lastly check for permissions boolean requiresPermissions = false; List<String> listOfPermissionsString = null; try { // check method first RequiresPermissions permissions = ctx.getMethod().getAnnotation( RequiresPermissions.class); listOfPermissionsString = Arrays.asList(permissions.value()); requiresPermissions = true; } catch (NullPointerException e) { requiresPermissions = false; } if (!requiresPermissions || listOfPermissionsString == null) { // check class try { RequiresPermissions permissions = runtimeClass .getAnnotation(RequiresPermissions.class); listOfPermissionsString = Arrays.asList(permissions.value()); requiresPermissions = true; } catch (NullPointerException e) { requiresPermissions = false; } } if (requiresPermissions && listOfPermissionsString != null) { log.info("[security] checking for permissions."); List<Permission> listOfPermissions = new ArrayList<Permission>(); for (String p : listOfPermissionsString) { listOfPermissions.add((Permission) new WildcardPermission(p)); } try { boolean[] boolPermissions = subject .isPermitted(listOfPermissions); boolean permitted = false; for (boolean b : boolPermissions) { if (b) { permitted = true; break; } } if (!permitted) { throw new AuthorizationException( "Access denied. User doesn't have enough privilege Permissions:" + listOfRoles + " to access this page."); } } catch (Exception e) { log.info("Access denied - {}: {}" + e.getClass().getName() + e.getMessage()); throw e; } } return ctx.proceed(); } } 2014-01-03T19:36:18.876-0300|Info: lgBean not null 2014-01-03T19:36:18.877-0300|Info: SecurityProducer.init() 2014-01-03T19:36:18.879-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.shiro.EaoRealm - construyendo EaoRealm 2014-01-03T19:36:18.879-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.shiro.EaoRealm - termine de construir EaoRealm 2014-01-03T19:36:19.933-0300|Severe: [http-listener-1(4)] INFO org.apache.shiro.cache.ehcache.EhCacheManager - Cache with name 'eaoRealm.authorizationCache' does not yet exist. Creating now. 2014-01-03T19:36:19.966-0300|Severe: [http-listener-1(4)] INFO org.apache.shiro.cache.ehcache.EhCacheManager - Added EhCache named [eaoRealm.authorizationCache] 2014-01-03T19:36:19.990-0300|Severe: [http-listener-1(4)] INFO org.apache.shiro.config.IniSecurityManagerFactory - Realms have been explicitly set on the SecurityManager instance - auto-setting of realms will not occur. 2014-01-03T19:36:19.990-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.shiroee6.SecurityProducer - Initializing Shiro INI SecurityManager using file:/C:/Program Files/glassfish_4/glassfish4/glassfish/domains/domain1/eclipseApps/UrsulaServerEAR/UrsulaEJB_jar/META-INF/shiro.ini 2014-01-03T19:36:20.004-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - LoginBean.login 2014-01-03T19:36:20.004-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - procedo a autenticar el usuario user={tomas}, password={111222} 2014-01-03T19:36:20.008-0300|Info: buscando tokens activos en UserTokenController 2014-01-03T19:36:20.019-0300|Info: EclipseLink, version: Eclipse Persistence Services - 2.5.0.v20130507-3faac2b 2014-01-03T19:36:20.389-0300|Info: file:/C:/Program Files/glassfish_4/glassfish4/glassfish/domains/domain1/eclipseApps/UrsulaServerEAR/UrsulaEJB_jar/_UrsulaPU login successful 2014-01-03T19:36:20.564-0300|Severe: [http-listener-1(4)] INFO com.ursula.eao.usuario.UserTokenController - encontre tomas 2014-01-03T19:36:20.583-0300|Severe: [http-listener-1(4)] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling session validation scheduler... 2014-01-03T19:36:20.590-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado subject=org.apache.shiro.subject.support.DelegatingSubject@2f31141 2014-01-03T19:36:20.590-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado username=tomas 2014-01-03T19:36:20.590-0300|Info: buscando tokens activos en UserTokenController 2014-01-03T19:36:20.631-0300|Severe: [http-listener-1(4)] INFO com.ursula.eao.usuario.UserTokenController - encontre tomas 2014-01-03T19:36:20.651-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - devuelvo la sessionId: 30bf20a4-5226-4ddb-be1e-bfe564d48542 2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - devuelvo el usuario de la session 2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado subject=org.apache.shiro.subject.support.DelegatingSubject@2f31141 2014-01-03T19:36:33.194-0300|Severe: [http-listener-1(4)] INFO com.ursula.beans.auth.UserBean - UserBean.getTokenLogueado username=tomas 2014-01-03T19:36:33.195-0300|Info: buscando tokens activos en UserTokenController 2014-01-03T19:36:33.201-0300|Severe: [http-listener-1(4)] INFO com.ursula.eao.usuario.UserTokenController - encontre tomas 2014-01-03T19:36:38.147-0300|Info: updateUsuarioLogueado Tomas3 2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO com.ursula.beans.auth.shiroee6.SecurityInterceptor - [security] checking for authenticated user. 2014-01-03T19:36:38.148-0300|Info: subject.isAuthenticated es false entoces respondo AuthorizationException 2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO com.ursula.beans.auth.shiroee6.SecurityInterceptor - [security] user not authenticated. 2014-01-03T19:36:38.148-0300|Warning: EJB5184:A system exception occurred during an invocation on EJB UserBean, method: public boolean com.ursula.beans.auth.UserBean.updateUsuario(com.ursula.entity.jaas.Usuario) throws org.apache.shiro.authz.AuthorizationException 2014-01-03T19:36:38.148-0300|Severe: [http-listener-1(3)] INFO com.ursula.beans.auth.shiroee6.SecurityInterceptor - Access denied - {}: {}org.apache.shiro.authz.AuthorizationExceptionnull 2014-01-03T19:36:38.149-0300|Warning: javax.ejb.TransactionRolledbackLocalException: Exception thrown from bean at com.sun.ejb.containers.EJBContainerTransactionManager.checkExceptionClientTx(EJBContainerTransactionManager.java:662) at com.sun.ejb.containers.EJBContainerTransactionManager.postInvokeTx(EJBContainerTransactionManager.java:507) at com.sun.ejb.containers.BaseContainer.postInvokeTx(BaseContainer.java:4475) at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:2009) at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:1979) at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:220) at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88) at $Proxy288.updateUsuario(Unknown Source) at com.ursula.beans.auth.__EJB31_Generated__UserBean__Intf____Bean__.updateUsuario(Unknown Source) at com.ursula.service.UsuarioService.updateUsuarioLogueado(UsuarioService.java:58) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1081) at org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1153) at com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:4695) at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:630) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582) at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:55) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:369) at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:4667) at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4655) at com.sun.ejb.containers.WebServiceInvocationHandler.invoke(WebServiceInvocationHandler.java:193) at $Proxy223.updateUsuarioLogueado(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.glassfish.webservices.InvokerImpl.invoke(InvokerImpl.java:82) at org.glassfish.webservices.EjbInvokerImpl.invoke(EjbInvokerImpl.java:82) at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:149) at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:88) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877) at com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:136) at org.glassfish.webservices.MonitoringPipe.process(MonitoringPipe.java:142) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877) at com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:136) at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.processRequest(CommonServerSecurityPipe.java:210) at com.sun.enterprise.security.webservices.CommonServerSecurityPipe.process(CommonServerSecurityPipe.java:142) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877) at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:420) at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:687) at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:266) at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:169) at org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:110) at org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:80) at org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:203) at org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:242) at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:193) at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:246) at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191) at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168) at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838) at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55) at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564) at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544) at java.lang.Thread.run(Thread.java:722) Caused by: org.apache.shiro.authz.AuthorizationException at com.ursula.beans.auth.shiroee6.SecurityInterceptor.interceptGet(SecurityInterceptor.java:125) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582) at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:46) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:582) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doCall(SystemInterceptorProxy.java:163) at com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:140) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:883) at com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:822) at com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:369) at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:4667) at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4655) at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:212) ... 91 more -- View this message in context: http://shiro-user.582556.n2.nabble.com/subject-isAuthenticated-false-after-a-couple-of-calls-soap-ws-tp7579490.html Sent from the Shiro User mailing list archive at Nabble.com.
