Hi all,
I'm new to Shiro and I would like to integrate it in my jaxrs webservice.
It has an api to be used by an ajax client.
The web service starts programmatically in this way:
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
ObjectMapper m = new ObjectMapper();
m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);
jackson.setMapper(m);
CrossOriginResourceSharingFilter cors = new
CrossOriginResourceSharingFilter();
sf.setProviders( Arrays.< Object >asList(cors, jackson) );
sf.setResourceClasses(Service.class, Users.class );
sf.setResourceProvider(Service.class, new SingletonResourceProvider(new
ServiceImpl(env)));
sf.setResourceProvider(Users.class, new SingletonResourceProvider(new
Users(env)));
sf.setAddress(address);
Server server = sf.create();
I added
Factory<SecurityManager> shiro = new
IniSecurityManagerFactory("classpath:shiro.ini");
SecurityUtils.setSecurityManager(securityManager);
to configure shiro
My shiro.ini is now very simple.
[main]
# ------------------------
# Database
# Own Realm
jdbcRealm = service.nexdata.SecurityRealm
# Sha256
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# base64 encoding, not hex in this example:
sha256Matcher.storedCredentialsHexEncoded = false
sha256Matcher.hashIterations = 1024
jdbcRealm.credentialsMatcher = $sha256Matcher
[urls]
/users/** = authcBasic
and the SecurityRealm implements JdbcRealm and specialize it with my user
db and works well, I tested it.
Service and Users are two rest apis and I have a status method for
development
@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3",
"X-custom-4"})
@Path("/service")
public abstract class CvService {
...
@GET
@Path("/status/")
public abstract Response status(); // returns if the service is up and
running
}
@CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 300,
allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders = {"X-custom-3",
"X-custom-4"})
@Path("/users")
public abstract class Users {
@GET
@Path("/status/")
public abstract Response status();
}
implemented by
public Response status()
{
Subject currentUser = SecurityUtils.getSubject();
boolean auth = currentUser.isAuthenticated();
if (auth)
return Response.status(Status.OK).entity("User Service up and
running!").build();
else
return Response.status(Status.OK).entity("User authentication
needed!").build();
}
Shiro seems to work quite well if I do explicit login and logout, but the
authBasic filter doesn't seem to work.
I tested it with the chrome extension Advanced Rest Client and putting some
breakpoints in BasicHttpAuthenticationFilter and the filter is completly
ignored.
I have the feeling that shiro.ini is not enough in this case and I must
esplicitly tell the jaxrs server to use shiro filter first but I don't know
how.
Is it right? Could you help me, please?
Thank you in advance,
Lisa
