Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@shiro.apache.org
Date: Tue, 14 Feb 2012 14:21:59 +0000 (UTC)
From: "david e. berry (Commented) (JIRA)" <jira@apache.org>
To: dev@shiro.apache.org
Message-ID: 
 <1457010337.36471.1329229319504.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (SHIRO-160) Flex integration with Shiro
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/SHIRO-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13207733#comment-13207733 ] 

david e. berry commented on SHIRO-160:
--------------------------------------

"It works as long as you keep <per-client-authentication>false</per-client-authentication> in flex/services-config." 
"If you set this to true, flex will maintain multiple flex sessions per http session." 

This is a feature of blazeds. Each browser is different, but in general if you access a flex client from one window and login as userA, open up a new tab and log in as userB, you are now trying to use one HTTP Session with two different users. If you set to true, userA and userB will each have a flex session. If set to false there will be one flex session for each HTTP Session. When userB logs in, userB now has the session, and the userA session will start to act funny because the roles and permissions for the user have been changed to userB.

To account for this I started a file called BlazeDSSession manager that extends FlexSessionManager that extends DefaultWebSessionManager that extends DefaultSessionManager

basically the methods on DefaultWebSessionManager and DefaultSessionManager  that create the session and return the session and session id will need to be overridden. Methods like:

protected  Session	createExposedSession(Session session, SessionContext context) 
protected  Session	createExposedSession(Session session, SessionKey key) 
protected  Serializable	getSessionId(ServletRequest request, ServletResponse response) 
 Serializable	getSessionId(SessionKey key) 
protected  Session	newSessionInstance(SessionContext context)              

protected  Session	retrieveSession(SessionKey sessionKey) 
          Looks up a session from the underlying data store based on the specified session key.

Les may be able to shed more light on creating a new WebSessionManager. 

This session manager should always take the Flex session and use it for Shiro.


> Flex integration with Shiro
> ---------------------------
>
>                 Key: SHIRO-160
>                 URL: https://issues.apache.org/jira/browse/SHIRO-160
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Authorization (access control) 
>    Affects Versions: Incubation
>            Reporter: david e. berry
>              Labels: Flex
>         Attachments: amf package layout.png, blazeds-war-1.0-SNAPSHOT.war, graniteds-war-1.0-SNAPSHOT.war, shiroflex-1.2.0.tgz, shiroflex-war-1.0-SNAPSHOT.war, shiroflex.tgz, shiroflex.tgz
>
>
> Commiters,
> I have created the following classes that I used to integrate Shiro with Flex AMF. I would like to contribute them to the shiro. Please let me know if there is interest and the procedure for doing so. I have included the class names with a brief description of what they do. They are currently outside of the Shiro code base that I checked out, but I could combine them if interested.
> Best Regards,
> Dave 
> /* Authentication and Authorization need to let AMF Ping, Login, Logout messages pass through
> without processing. They call FlexMessageHelper to introspect the binary message to see if it is allowed to pass. 
> If not, normal Authentication, and Authorization takes place.
> */  
> public class FlexAuthenticationFilter extends AuthenticationFilter;
> public class FlexPermissionsAuthorizationFilter extends PermissionsAuthorizationFilter;
> public class FlexRolesAuthorizationFilter extends RolesAuthorizationFilter;
> /*Helper methods for introspecting the contents of the amf message. It is conceivable that a security handler
> might need to introspect the contents of a request. It would be nice if Shiro wrapped the request automatically so that anyone can read the contents without
> causing an end of stream error for a filter down the line. 
> Message helper deserializes the AMF message and checks to see if it is a PING, LOGON, or LOGOUT request. 
> */ 
> public class FlexHttpServletRequestWrapper extends HttpServletRequestWrapper;
> public class FlexMessageHelper;
> /* Custom Flex Login command that calls Subject.login returns a Principal back to Flex.
> */
> public class FlexLoginCommand implements LoginCommand;
> public class FlexPrincipal implements Principal;

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira