Have you set up the Shiro Filter in the application's web.xml file?
On Thu, Jul 9, 2015 at 1:39 PM, aidaverdi800 <[email protected]> wrote:
>
> Hi all,
> I'm new to Shiro and I would like to integrate it in my jaxrs webservice.
> It has an api to be used by an ajax client.
>
> The web service starts programmatically in this way:
>
> JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>
> JacksonJaxbJsonProvider jackson = new JacksonJaxbJsonProvider();
> ObjectMapper m = new ObjectMapper();
> m.configure(DeserializationFeature.UNWRAP_ROOT_VALUE, true);
>
> jackson.setMapper(m);
> CrossOriginResourceSharingFilter cors = new
> CrossOriginResourceSharingFilter();
> sf.setProviders( Arrays.< Object >asList(cors, jackson) );
> sf.setResourceClasses(Service.class, Users.class );
> sf.setResourceProvider(Service.class, new SingletonResourceProvider(new
> ServiceImpl(env)));
> sf.setResourceProvider(Users.class, new SingletonResourceProvider(new
> Users(env)));
>
> sf.setAddress(address);
> Server server = sf.create();
>
> I added
>
> Factory<SecurityManager> shiro = new
> IniSecurityManagerFactory("classpath:shiro.ini");
> SecurityUtils.setSecurityManager(securityManager);
> to configure shiro
>
> My shiro.ini is now very simple.
>
> [main]
>
> # ------------------------
> # Database
>
> # Own Realm
> jdbcRealm = service.nexdata.SecurityRealm
>
> # Sha256
> sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
> # base64 encoding, not hex in this example:
> sha256Matcher.storedCredentialsHexEncoded = false
> sha256Matcher.hashIterations = 1024
>
> jdbcRealm.credentialsMatcher = $sha256Matcher
>
>
> [urls]
>
> /users/** = authcBasic
>
>
> and the SecurityRealm implements JdbcRealm and specialize it with my user
> db and works well, I tested it.
>
> Service and Users are two rest apis and I have a status method for
> development
>
> @CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 100000,
> allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders =
> {"X-custom-3", "X-custom-4"})
> @Path("/service")
> public abstract class CvService {
> ...
>
> @GET
> @Path("/status/")
> public abstract Response status(); // returns if the service is up and
> running
> }
>
>
>
> @CrossOriginResourceSharing(allowAllOrigins = true, maxAge = 300,
> allowHeaders = {"X-custom-1", "X-custom-2"}, exposeHeaders =
> {"X-custom-3", "X-custom-4"})
> @Path("/users")
> public abstract class Users {
>
> @GET
> @Path("/status/")
> public abstract Response status();
> }
>
> implemented by
> public Response status()
> {
> Subject currentUser = SecurityUtils.getSubject();
> boolean auth = currentUser.isAuthenticated();
> if (auth)
> return Response.status(Status.OK).entity("User Service up and
> running!").build();
> else
> return Response.status(Status.OK).entity("User authentication
> needed!").build();
> }
>
> Shiro seems to work quite well if I do explicit login and logout, but the
> authBasic filter doesn't seem to work.
>
> I tested it with the chrome extension Advanced Rest Client and putting
> some breakpoints in BasicHttpAuthenticationFilter and the filter is
> completly ignored.
>
> I have the feeling that shiro.ini is not enough in this case and I must
> esplicitly tell the jaxrs server to use shiro filter first but I don't know
> how.
>
> Is it right? Could you help me, please?
> Thank you in advance,
>
>
> Lisa
>
>
>
