Hi, I see no one replied to your mail so here is my 2cents. I worked on this problem for some time and managed to get it working but with a less than optimal solution. As you did i started with thos tutorials you mentioned but i had to keep working to inlcude all the functionalities i wanted. You can browse my code here: http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/ Im sorry but it wont work out of the box at the moment. Still you can use it as a reference.
1) Start by creating a realm. I wanted to create a realm that used the entityManager rather than a jdbc connection so i created my EaoRealm<http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/beans/auth/shiro/EaoRealm.java> A tricky problem was how to acces the UserController and TokenController Bean from a realm which was instantiated by shiro rather than the EjbContainer so i ended using ejbLookup 2)Create a LoginService<http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/service/LoginService.java> with a method public String login(@WebParam(name = "user") String user, @WebParam(name = "pass") String pass); the return will be you sessionId which you will provide on every api call. For example: public String logout(@WebParam(name = SESSION_ID_PARAM) String session_id); 3)So far Shiro hasn't been started because SOAP calls aren't captured by the shiro Filter (as far as I know) so you have to create a SoapHandler SessionIdHandler which starts the securityManager only if it hasn't been started before (very important or you'll loose all your sessions) and links the current thread to the session asociated to the provided sessionId if posible. This has many problems because you have to comunicate to the user by SoapErrorMessage a variety of errors that may ocurr. 4)I dont know if you will be enforcing authorization but if you will, you have to create a SecurityInterceptor<http://sourceforge.net/p/ursulaerp/code/HEAD/tree/UrsulaEJB/ejbModule/com/ursula/beans/auth/shiroee6/SecurityInterceptor.java> that checks for the apropiate permissions on each method call against the user asociated with the currentThread. Well i hope it helps and if anyone has a better way of doing thigs it would be wellcomed. If you have any questions don't hesitate to ask. Cheers, Tomas Lund Petersen On Sun, May 18, 2014 at 9:01 PM, [email protected] <[email protected]> wrote: > Hello everybody, > > I am new to SHIRO and try since a few day to make the following use case > working: use SOAP UI to call a service with Basic Authorization, username > and password are manually set of course. > In an EJB Module (maven packaging ejb) I have one stateless Service bean > (@WebService) with some very simple demo methods (like "sayHello" etc...) > > Is that possible with SHIRO and how? > > I have read and tried to understand the Shiro Documentation and some > additional resources like: > > http://czetsuya-tech.blogspot.ca/2012/10/how-to-integrate-apache-shiro-with.html > and > > http://balusc.blogspot.ca/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods > > I have followed these resources. I cannot find a way to do a "straight" > login like in a jaas or glassfish realm login module... > > Thanks a lot for your help! > > Cheers > > Emmanuel > > > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Securing-EJB-Web-Services-with-HTTP-Basic-Auth-tp7579962.html > Sent from the Shiro User mailing list archive at Nabble.com. >
