shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From daniel_asv <dan...@macropro.com.mx>
Subject Re: How to use JSecurity
Date Thu, 14 Aug 2008 16:26:33 GMT

I'am using JBuilder 2008 and i choose to Create an EJB Modeling project for
the servidor.jar. I only have 2 months programming in java maybe that's why
i'm doing wrong usage of ejb with jsecurity.


Les Hazlewood wrote:
> 
> Just out of curiosity, are you using EJB3?
> 
> On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <les@hazlewood.com> wrote:
> 
>> Ah, I see now.
>>
>> The default JSecurity SecurityManager implemenations are almost always
>> intended to reside in the business tier, not in the client.  In an EJB3
>> application, this means it should reside along side of (a peer to) your
>> Stateless Session Bean - in the server, not in the client gui.
>>
>> So, if you want to secure a web service, JSecurity has to be configured
>> to
>> handle http communication - this is done by configuring JSecurity as a
>> servlet filter in web.xml, to intercept the webservice Servlet Requests
>> that
>> will eventually call the underlying EJB.
>>
>> See this JavaDoc for how to configure the filter:
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>>
>> So, for example, if all of your web service calls go
>>
>> http://your.host.ip/myapp/webservices
>>
>> you would configure the JSecurity filter to intercept all the
>> /webservices/** urls.  For example:
>>
>> <filter>
>>         <filter-name>JSecurityFilter</filter-name>
>>
>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>>
>>         <init-param>
>>             <param-name>config</param-name>
>>             <param-value>
>>                 # The JSecurityFilter configuration is very powerful and
>> flexible, while still remaining succinct.
>>                 # Please read the comprehensive example, with full
>> comments
>> and explanations, in the JavaDoc:
>>                 #
>>                 #
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>>
>>                 [filters]
>>                 jsecurity.loginUrl = /s/login
>>                 authc.successUrl = /s/index
>>
>>                 [urls]
>>                 # specify any of the above filters here, depending on the
>> type of security you want:
>>                 /webservices/**=authc
>>
>>             </param-value>
>>         </init-param>
>>
>>     </filter>
>>
>> <filter-mapping>
>>         <filter-name>JSecurityFilter</filter-name>
>>         <url-pattern>*</url-pattern>
>>     </filter-mapping>
>>
>> Does this help?
>>
>>
>> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv
>> <daniel@macropro.com.mx>wrote:
>>
>>>
>>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>>
>>> I have three jar:
>>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>>> session bean (god) which exposes all his methods as webservice and my
>>> jpa
>>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>>> Persona, Rol, Tratamiento, Usuario).
>>> 2. servicios.jar with the generated web service client from wsdl in
>>> glassfish using JAX-WS and JAXB.
>>> 3. cliente.jar the swing application that consumes the webservices (here
>>> i
>>> use JSecurity).
>>>
>>> My problem is in the webservices. I don´t know how to call them using a
>>> user
>>> and password.
>>>
>>>
>>> Les Hazlewood wrote:
>>> >
>>> > Hi Daniel,
>>> >
>>> > Have you configured JSecurity via a servlet filter in web.xml?  I'm
>>> just
>>> > trying to see what your runtime environment is like first before I
>>> > recommend
>>> > a solution.
>>> >
>>> > Les
>>> >
>>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <daniel@macropro.com.mx>
>>> > wrote:
>>> >
>>> >>
>>> >> I have implemented this class that inherited from AuthorizingRealm
>>> >>
>>> >> package presentacion;
>>> >>
>>> >> import java.util.LinkedHashSet;
>>> >> import java.util.Set;
>>> >>
>>> >> import org.jsecurity.authc.AccountException;
>>> >> import org.jsecurity.authc.AuthenticationException;
>>> >> import org.jsecurity.authc.AuthenticationInfo;
>>> >> import org.jsecurity.authc.AuthenticationToken;
>>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>>> >> import org.jsecurity.authc.UnknownAccountException;
>>> >> import org.jsecurity.authc.UsernamePasswordToken;
>>> >> import org.jsecurity.authz.AuthorizationException;
>>> >> import org.jsecurity.authz.AuthorizationInfo;
>>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>>> >> import org.jsecurity.realm.AuthorizingRealm;
>>> >> import org.jsecurity.subject.PrincipalCollection;
>>> >>
>>> >> import acciones.God;
>>> >> import acciones.Permiso;
>>> >> import acciones.Rol;
>>> >> import acciones.Usuario;
>>> >>
>>> >> public class EjbRealm extends AuthorizingRealm {
>>> >>        private God servicios;
>>> >>
>>> >>        public EjbRealm(God servicios) {
>>> >>                this.servicios = servicios;
>>> >>        }
>>> >>
>>> >>        private Set<String> getRoles(Usuario u) {
>>> >>                Set<String> roles = new LinkedHashSet<String>();
>>> >>                for (Rol rol : u.getRoles()) {
>>> >>                        roles.add(rol.getNombre());
>>> >>                }
>>> >>                return roles;
>>> >>        }
>>> >>
>>> >>        private Set<String> getPermisos(Usuario u) {
>>> >>                Set<String> permisos = new LinkedHashSet<String>();
>>> >>                for (Rol rol : u.getRoles()) {
>>> >>                        for (Permiso p : rol.getPermisos()) {
>>> >>                                permisos.add(p.getNombre());
>>> >>                        }
>>> >>                }
>>> >>                return permisos;
>>> >>        }
>>> >>
>>> >>        @Override
>>> >>        protected AuthorizationInfo doGetAuthorizationInfo(
>>> >>                        PrincipalCollection principals) {
>>> >>                if (principals == null) {
>>> >>                        throw new AuthorizationException(
>>> >>                                        "El parametro
>>> PrincipalCollection
>>> >> no
>>> >> puede ser null.");
>>> >>                }
>>> >>                String apodo = (String)
>>> >> principals.fromRealm(getName()).iterator()
>>> >>                                .next();
>>> >>                Usuario u = servicios.consultarUsuario(apodo);
>>> >>                SimpleAuthorizationInfo info = new
>>> >> SimpleAuthorizationInfo(getRoles(u));
>>> >>                info.setStringPermissions(getPermisos(u));
>>> >>                return info;
>>> >>        }
>>> >>
>>> >>        @Override
>>> >>        protected AuthenticationInfo doGetAuthenticationInfo(
>>> >>                        AuthenticationToken token) throws
>>> >> AuthenticationException {
>>> >>                UsernamePasswordToken upToken =
>>> (UsernamePasswordToken)
>>> >> token;
>>> >>                String apodo = upToken.getUsername();
>>> >>                if (apodo == null) {
>>> >>                        throw new AccountException(
>>> >>                                        "No se permiten apodos Null en
>>> >> este
>>> >> realm.");
>>> >>                }
>>> >>                AuthenticationInfo info = null;
>>> >>                String contrasenia =
>>> >> servicios.consultarContrasenia(apodo);
>>> >>                if (contrasenia == null) {
>>> >>                        throw new UnknownAccountException("No se
>>> encontro
>>> >> el
>>> >> usuario ["
>>> >>                                        + apodo + "]");
>>> >>                }
>>> >>                info = new SimpleAuthenticationInfo(apodo,
>>> contrasenia,
>>> >> getName());
>>> >>                return info;
>>> >>        }
>>> >>
>>> >> }
>>> >>
>>> >> And in my login window i have implemented in a button this code
>>> >>        private GodService god = new GodService();
>>> >>        protected void button_actionPerformed(ActionEvent arg0) {
>>> >>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>>> >>                ejbRealm.setCredentialsMatcher(new
>>> >> Sha256CredentialsMatcher());
>>> >>                DefaultSecurityManager securityManager = new
>>> >> DefaultSecurityManager(
>>> >>                                ejbRealm);
>>> >>                UsernamePasswordToken token = new
>>> >> UsernamePasswordToken(apodoText
>>> >>                                .getText(),
>>> >> contraseniaText.getPassword());
>>> >>                try {
>>> >>                        Subject user = securityManager.login(token);
>>> >>                        if (user.isAuthenticated()) {
>>> >>                                MenuForm window = new MenuForm(god);
>>> >>                                window.show();
>>> >>                                dispose();
>>> >>                        }
>>> >>                } catch (AuthenticationException e) {
>>> >>                        mostrarMensaje("Usuario o contraseña
>>> >> incorrectos");
>>> >>                } finally {
>>> >>                        securityManager.destroy();
>>> >>                }
>>> >>        }
>>> >>
>>> >> But now i want to know how to secure my webservice (God) using
>>> JSecurity.
>>> >> What i need to do?
>>> >>
>>> >>
>>> >> daniel_asv wrote:
>>> >> >
>>> >> > Hi, i have a webservice from a stateless session bean running in
a
>>> >> > GlassFish Application Server. The webservice is consumed by a swing
>>> >> > application, i want to agregate a login to the swing application,
>>> the
>>> >> user
>>> >> > and password will be stored in a SQL Server 2005 database managed
>>> by
>>> >> JPA
>>> >> > (Hibernate).
>>> >> >
>>> >> > What i need to do for use JSecurity in my login window using the
>>> >> > webservice?
>>> >> >
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>>> >>
>>> >>
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>>
>>>
>>
> 
> 

-- 
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p724494.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Mime
View raw message