Geek Answers Handbook

Siro in Java EE 6 Application

I followed BalusC code to manage user authentication in Java EE 6 ( http://balusc.blogspot.com/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html ) works fine if I stay on the same web container.

I am having a problem that may help me. When you enter an EJB that resides in a web container, it SecurityUtils.getSubject()works fine with any method of that EJB.

The problem is that I am trying to do this on a nested EJB from another container (even in an ejb jar in the same EAR).

The error I am getting is:

Called: org.apache.shiro.UnavailableSecurityManagerException: no SecurityManager available for the calling code, either bound to org.apache.shiro.util.ThreadContext, or as a static singleton vm. This is the wrong application configuration.

Use case:

A managed bean Awith a nested session without a bean state B. The class Ais in myApp.war, the class Bis in myApp.ejb, as inside myApp.ear. I am calling SecurityUtilsfrom class B.

Do you have any information on how to solve this?

I am running JSF 2, Java EE 6, JBoss 7.1.

+2
source share
2 answers

I myself answer the question.

LoginModule JBoss:

( ):

public class ShiroJAASIntegrationFilter implements Filter{

    static Logger logger = Logger.getLogger(ShiroJAASIntegrationFilter.class);
    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1,
            FilterChain arg2) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest)arg0;
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        HttpSession session = httpServletRequest.getSession(false);
        if(userPrincipal!=null){
            if(session!= null && session.getAttribute("shiroAuthenticated")==null){
                String name = userPrincipal.getName();
                try {
                    httpServletRequest.login(name,"");
                    session.setAttribute("shiroAuthenticated",true);
                } catch (ServletException e) {
                    logger.debug("Unable to authenticate user" + e.getMessage());
                }
            }

        }
        arg2.doFilter(arg0, arg1);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
    }
}

, :

public class ShiroJAASLoginModule extends UsernamePasswordLoginModule {

    /**
     * Always return true. 
     */
    protected boolean validatePassword(String inputPassword,
            String expectedPassword) {
        return true;
    }

    protected Group[] getRoleSets() throws LoginException {
        //TODO: if needed, add roles
        Group[] roleSets = { new SimpleGroup("Roles") };
        roleSets[0].addMember(new SimplePrincipal(getUsername()));
        return roleSets;
    }


    @Override
    protected String getUsersPassword() throws LoginException {
        return null;
    }

}

standalone.xml:

<security-domain name="shiro" cache-type="default">
 <authentication>
  <login-module code="web.security.shiroJaasIntegration.ShiroJAASLoginModule" flag="required"/>
 </authentication>
</security-domain>

, jboss-web.xml:

<jboss-web>
    <security-domain>shiro</security-domain>

</jboss-web>
+1

, SecurityManager ThreadLocal ShiroFilter. doFilterInternal. Subject ThreadContext subject.execute, , SecurityUtils.getSubject() null , subject.execute, ShiroFilter, , , .

AbstractShiroFilter.java

protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain)
            throws ServletException, IOException {
...

            final Subject subject = createSubject(request, response);

            //noinspection unchecked
            subject.execute(new Callable() {
                public Object call() throws Exception {
                    updateSessionLastAccessTime(request, response);
                    executeChain(request, response, chain);
                    return null;
                }
            });    
...
    }

, , inject Stateless B, DI? Guice Spring.

0

More articles:


All Articles