shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Scharr" <Christian.Sch...@hsh-berlin.com>
Subject RE: custom authentication and authorization
Date Wed, 29 Sep 2010 08:19:24 GMT
Hi Les,
first a big THX, I successfully got it up and running by starting with the sample from the
subversion repository and progressively customizing it.

Now I want to change the authentication mechanism from authcBasic to form based authc. Therefore
I changed the ini in the following way:

"[main]
securityManager = org.apache.shiro.web.mgt.DefaultWebSecurityManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
secureRealm = de.hshsoft.custobee.security.SecureRealm
authc.loginUrl = /login/do

[urls]
/acp/plugin = authc, rest
/contacts = authc, rest
/logout = authc, rest
/acp/user = authc, rest
/acp/user/new = authc, rest
/** = anon"

Instead of redirecting me to the given loginUrl I got a 500 error-message with the text "No
SessionManager".

The console-logging gives a hint in DEBUG-level:
"org.eclipse.jetty.util.log: REQUEST /contacts on org.eclipse.jetty.server.nio.SelectChannelConnector$2@190a0d6
org.eclipse.jetty.util.log: servlet=org.restlet.ext.servlet.ServerServlet-28678543
org.eclipse.jetty.util.log: servlet holder=
org.eclipse.jetty.util.log: chain=
org.eclipse.jetty.util.log: call filter org.apache.shiro.web.servlet.IniShiroFilter
org.apache.shiro.web.servlet.AdviceFilter: Filter execution resulted in an unexpected Exception
(not IOException or ServletException as the Filter API recommends).  Wrapping in ServletException
and propagating."

The corresponding stacktrace says:
"java.lang.IllegalStateException: No SessionManager
	at org.eclipse.jetty.server.Request.getSession(Request.java:1097)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:227)
	at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSession(ShiroHttpServletRequest.java:142)
	at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSession(ShiroHttpServletRequest.java:164)
	at org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:109)
[...]"

I have no clue why Shiro doesn't use the given default SessionManager or what I should do
to make things work... :-/

P.s.
On my opinion Shiro is a great security framework, but a little bit more documentation how
these things work and how to configure the whole framework for different sceanrios would be
really a big step forward to easier implementation and bigger popularity.

> -----Original Message-----
> From: les.hazlewood@anjinllc.com [mailto:les.hazlewood@anjinllc.com] On
> Behalf Of Les Hazlewood
> Sent: Tuesday, September 28, 2010 7:16 PM
> To: shiro-user@incubator.apache.org
> Subject: Re: custom authentication and authorization
> 
> Hi Christian,
> 
> Your config looks fine - it appears that it should be working.  Could
> you please try a similar config with the Shiro sample web application
> (in the Shiro source distribution under samples/web) and see what
> happens?  If it still fails, please post the config that you used with
> the sample app and I'll try it myself.
> 
> Les
> 
> On Mon, Sep 27, 2010 at 11:11 PM, Christian Scharr
> <Christian.Scharr@hsh-berlin.com> wrote:
> > Hi,
> > after some experimental testing and evaluation I decided to use
> Apache Shiro in one of my projects.
> > So I tried to customize Shiros authentication/authorization behaviour
> by subclassing the org.apache.shiro.realm.AuthorizingRealm abstract
> class and putted it in my ini-config.
> >
> > Now my INI looks like:
> > "[main]
> > rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
> > secureRealm = de.hshsoft.custobee.security.SecureRealm
> >
> > [urls]
> > /acp/plugin = authcBasic, rest
> > /contacts = authcBasic, rest
> > /logout = authcBasic, rest
> > /acp/user = authcBasic, rest
> > /acp/user/new = authcBasic, rest
> > /** = anon"
> >
> > I've putted some logging messages into my Realm-class so I can see
> what's going on.
> > And here's the problem:
> > - after reading the ini, the realm class is instantiated [OK]
> > - trying to access one of the "protected" resources shows me the
> wished login-prompt [OK]
> > - sending the filled login-prompt never ever executes the
> doGetAuthenticationInfo() or doGetAuthorizationInfo() methods of my
> realm [FAILURE]
> >
> > I've no idea what's wrong with my code or my approach... :-(
> > Please give me a tip to the right direction to get this code running.
> >
> > Mit freundlichen Grüßen,
> > Greets,
> >
> > Christian Scharr
> > Dipl. Wirtschaftsinformatiker (BA)
> > MESO-Entwicklung
> > ----------
> > HSH Soft- und Hardware Vertriebs GmbH
> > Rudolf-Diesel-Straße 2
> > 16356 Ahrensfelde
> > Tel. (Zentrale): +49 (0)30/94 004 0
> > Tel. (Hotline): +49 (0)30/94 004 444
> > Fax: +49 (0)30/94 004 400
> > eMail: christian.scharr@hsh-berlin.com
> > ---
> > Amtsgericht Frankfurt (Oder): HRB 7352 FF
> > Geschäftsführer: Stephan Hauber
> >
> >
> >
Mime
View raw message