shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: Spring stand alone client
Date Wed, 03 Feb 2010 20:52:29 GMT
This feature - any rich client participating in a server side session
- is a powerful feature unique to Shiro.  You must use Shiro's native
sessions.  Servlet container HTTP sessions can't support this
functionality for any protocols other than HTTP.  Shiro's native
session mode can.

Does this help?

Regards,

Les

On Mon, Nov 2, 2009 at 2:43 PM, Narcom <narcom_baku@yahoo.com> wrote:
>
> I figured out what is wrong using "http monitor" and debugger...
> When I use shiro SecureRemoteInvocationFactory for spring remoting it does
> not send http session cookies/headers at all. but instead somehow serialize
> and wrap them into into server request. On server side Shiro unwrap recieved
> object and extracts that server id... but problem is that Tomcat have no
> idea that it was request with session... All this happens if you use not
> "native" session storage mode but "http" session mode and
> DefaultSecurityManager.
>
> If I switched to native session mode then everything is working.
>
> It seems to me that to use standard http session I need to use
> DefaultWebSecurityManager but I do not know how to initiate it on client
> side. any ideas?
>
>
> Narcom wrote:
>>
>> I managed to call remote "secure" spring bean at last... using this code
>> PropertyConfigurator.configure("web/WEB-INF/log.properties");
>>         ctx = new
>> FileSystemXmlApplicationContext("/web/WEB-INF/remoting-client.xml");
>>
>>         DefaultSecurityManager securityManager = new
>> DefaultSecurityManager();
>>         securityManager.setRealm(new PropertiesRealm());
>>
>>         SecurityUtils.setSecurityManager(securityManager);
>>
>>         LoginManagerRemote loginManager = (LoginManagerRemote)
>> ctx.getBean("loginManager");
>>         UserRemote user = loginManager.login();
>>         String sessionId = user.getSessionId();
>>         log.info("user name: " + user.getName());
>>         log.info("sesssionId: " + sessionId);
>>
>>         SimpleSession session = new SimpleSession();
>>         session.setId(sessionId);
>>
>>         Subject subject = new
>> Subject.Builder().session(session).buildSubject();
>>
>>         Session sessionLocal = subject.getSession(false);
>>         if(sessionLocal != null){
>>             log.info("session.getId(): " + sessionLocal.getId());
>>         } else {
>>             log.info("session: null");
>>         }
>>
>>         subject.execute(new Runnable() {
>>
>>             public void run() {
>>                 SampleManager sampleManager = (SampleManager)
>> ctx.getBean("sampleManager");
>>                 String result = sampleManager.secureMethod1();
>>                 log.info(result);
>>             }
>>         });
>>
>> but now I have another problem. When I call secureMethod1() it execute
>> fine only if I do not check authorization.
>> this what I get on server side:
>> 2009-11-02 14:50:04,656 DEBUG
>> (org.apache.shiro.authc.credential.SimpleCredentialsMatcher:100)
>> Performing credentials equality check for tokenCredentials of type
>> [org.apache.shiro.crypto.hash.Sha256Hash and accountCredentials of type
>> [org.apache.shiro.crypto.hash.Sha256Hash]
>> 2009-11-02 14:50:04,656 DEBUG
>> (org.apache.shiro.authc.AbstractAuthenticator:217) Authentication
>> successful for token [org.apache.shiro.authc.UsernamePasswordToken -
>> user1, rememberMe=true].  Returned account
>> [org.apache.shiro.subject.SimplePrincipalCollection@4930af45]
>> 2009-11-02 14:50:04,687 DEBUG
>> (org.apache.shiro.web.attr.AbstractWebAttribute:171) No 'editorClass'
>> property set - returning value.toString() as the string value for method
>> argument.
>> 2009-11-02 14:50:04,687 DEBUG
>> (org.apache.shiro.web.attr.CookieAttribute:350) Added Cookie [rememberMe]
>> to path [/SpringRemoting] with value
>> [UwP13UzjVUceLBNWh+sYM01JWOSbBOwc1ZLySIws0IdnkcWeD/yWeH0eIycwHaI8MRKPyenBr76EoLkEZnXSz4i27cTTUps5qOgU/ZQLdvIOxlZxmT9RlUvKT6zopnQrSpdsCNaruG/Op/XEoJcdNLI9rJCCyMKN3em5wl8GrWTIzKS4hzHombGBEW4EPS9jv40HV4mIS2sUFXm5MlOptr99e1A6eKYxlLrldk2/yqw29nWohE0sIjO7tRF9mOAZUeC/Fem6K4S82LbXAJ6p0oNg3MP7dbFSkeeDF2CwFJvvi5xVrGyF0aKk8JzBHKzmRgLAreVAMGR0L2hGHOgIP/uup6KzE3QFZJpPSCmtcRZASMTpLxTpiiTHhVmB9Hf42eGB9vfoR9QFfK0U+in7fyrWyyAs3GPdM884yP9B8YdVfqUzqWhbzMDdUgS0PKpc3QsBDOqdsLzOpvUImFdomuk+RZ98i28s/KP1puAwmeo=]
>> to the HttpServletResponse
>> 2009-11-02 14:50:04,812 INFO (com.springbook.LoginManagerBean:43)
>> 70931A960971B2477A95A27B296D4C0D
>> 2009-11-02 14:50:04,843 DEBUG
>> (org.apache.shiro.mgt.DefaultSecurityManager:384) Context referenced
>> sessionId is invalid.  Ignoring and creating an anonymous (session-less)
>> Subject instance.
>> org.apache.shiro.session.UnknownSessionException: There is no session with
>> id [70931A960971B2477A95A27B296D4C0D]
>>         at
>> org.apache.shiro.session.mgt.AbstractSessionManager.getSession(AbstractSessionManager.java:249)
>>         at
>> org.apache.shiro.session.mgt.AbstractSessionManager.checkValid(AbstractSessionManager.java:265)
>>         at
>> org.apache.shiro.mgt.SessionsSecurityManager.checkValid(SessionsSecurityManager.java:294)
>>         at
>> org.apache.shiro.mgt.DefaultSecurityManager.getSession(DefaultSecurityManager.java:192)
>>         at
>> org.apache.shiro.mgt.DefaultSecurityManager.resolveSession(DefaultSecurityManager.java:380)
>>         at
>> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:343)
>>         at
>> org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:703)
>>         at
>> org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor.invoke(SecureRemoteInvocationExecutor.java:106)
>>         at
>> org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:78)
>>         at
>> org.springframework.remoting.support.RemoteInvocationBasedExporter.invokeAndCreateResult(RemoteInvocationBasedExporter.java:114)
>>         at
>> org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter.handleRequest(HttpInvokerServiceExporter.java:117)
>>         at
>> org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:49)
>>         at
>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:874)
>>         at
>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:808)
>>         at
>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:476)
>>         at
>> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:441)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>         at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>         at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>         at
>> org.apache.shiro.web.servlet.ShiroFilter.executeChain(ShiroFilter.java:687)
>>         at
>> org.apache.shiro.web.servlet.ShiroFilter.doFilterInternal(ShiroFilter.java:616)
>>         at
>> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
>>         at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>         at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>         at
>> org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
>>         at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>         at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>         at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>         at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>>         at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>         at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>         at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>         at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>         at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
>>         at
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>         at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>         at java.lang.Thread.run(Thread.java:619)
>> 2009-11-02 14:50:04,906 INFO
>> (my.samples.shiro.spring.DefaultSampleManager:91) Secure method 1
>> called...
>> 2009-11-02 14:50:04,906 INFO
>> (my.samples.shiro.spring.DefaultSampleManager:96)
>> currentUser.isAuthenticated(): false
>> 2009-11-02 14:50:04,906 INFO
>> (my.samples.shiro.spring.DefaultSampleManager:101) session: null
>>
>> note this line "There is no session with id
>> [70931A960971B2477A95A27B296D4C0D]" but this sessionId was created on
>> previuos call and send to client and submitted to Subject session. this is
>> client output:
>>
>> 2009-11-02 14:50:04,828 INFO (com.springbook.client.RemotingTest:65) user
>> name: user1
>> 2009-11-02 14:50:04,828 INFO (com.springbook.client.RemotingTest:66)
>> sesssionId: 70931A960971B2477A95A27B296D4C0D
>> 2009-11-02 14:50:04,828 DEBUG
>> (org.apache.shiro.mgt.DefaultSecurityManager:371) Context already contains
>> a session.  Returning.
>> 2009-11-02 14:50:04,828 INFO (com.springbook.client.RemotingTest:99)
>> session.getId(): 70931A960971B2477A95A27B296D4C0D
>> 2009-11-02 14:50:04,906 INFO (com.springbook.client.RemotingTest:109)
>> Secure method 1 called...
>>
>> so it looks like by some reason session created before is not restored by
>> shiro...
>>
>> how to fix it?
>>
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/Spring-stand-alone-client-tp3910311p3934177.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Mime
View raw message