I'm currently working on a web application in JavaEE6 stack and I've integrated Shiro for security. I think the authentication and authorization is working properly now and I have 1 last problem.
When I logout, I'm encountering UnknownSessionException, here are my config and codes for inspection:
web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!-- Welcome page -->
<welcome-file-list>
<welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>
shiro.ini
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM czetsuya_users WHERE username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM czetsuya_roles a INNER JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM czetsuya_permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = saltedJdbcRealm
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = shiro-activeSessionCache
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds = 30 mins
sessionValidationScheduler.interval = 1800000
securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya
# 1,800,000 milliseconds = 30 mins
securityManager.sessionManager.globalSessionTimeout = 1800000
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml
securityManager.cacheManager = $cacheManager
czetsuyaFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
czetsuyaFilter.loginUrl = /faces/login.xhtml
czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml
# logout.redirectUrl = /faces/login.xhtml
[urls]
/login.xhtml = czetsuyaFilter
/secure/** = czetsuyaFilter
/api/** = noSessionCreation, czetsuyaFilter
# /logout = logout
The part where I invoke logout:
public String logout() {
Subject subject = SecurityUtils.getSubject();
if (subject != null) {
subject.logout();
}
return "/home.xhtml?faces-redirect=true";
}
Thanks,
czetsuya
The problem with this configuration is the line:
securityManager.sessionManager.globalSessionTimeout = 1800000
It should be comment out. It's not working on shiro's native session.
Or an alternative would be to use the HttpSession (not shiro). Here's the config file:
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dropshipDS
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM crm_permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager
dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
dsFilter.loginUrl = /login.xhtml
roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter
[urls]
/login.xhtml = dsFilter
/backend/** = dsFilter, roles[backend]
/affiliate/** = dsFilter, roles[affiliate]
/api/** = noSessionCreation, dsFilter
/logout = logout
Related
I'm using Resteasy 3.0.11.Final with JBoss AS 5.1.0 GA. I have a defined REST web service. The whole service is secured with BASIC authentication with a custom security domain. When I use Postman to send a request (#1) with BASIC authentication for user A, JBoss AS invokes a login module for the user, and then calls a local ejb (looked up with initial context) method with caller principal A. Immidiately after I send another request (#2) with BASIC authentication for user B, in this case JBoss AS does not invoke a login module and calls a local ejb method with caller principal A again. After some time sending a request with user B yields the desired result (local ejb method call with caller principal B). I'm not sure what causes the problem, the Resteasy service configuration / session handling or the JBoss AS security domain configuration which is responsible for login modules (subject timeout? lack of logout after method being called?)? Basically I want to configure Resteasy to force a new session with a new login module invocation for the local ejb method call for every rest request.
web.xml:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>my-app</display-name>
<context-param>
<param-name>resteasy.providers</param-name>
<param-value>org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider,com.mycompany.infrastructure.ExceptionMapper</param-value>
</context-param>
<context-param>
<param-name>resteasy.resources</param-name>
<param-value>com.mycompany.resource.Resource</param-value>
</context-param>
<listener>
<listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
</listener>
<servlet>
<servlet-name>my-app-resteasy-servlet</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
<init-param>
<param-name>javax.ws.rs.core.Application</param-name>
<param-value>com.mycompany.application.Application</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>my-app-resteasy-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>my-app-resteasy-servlet</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>User</role-name>
</security-role>
</web-app>
jboss-web.xml
<jboss-web>
<context-root>/path</context-root>
<security-domain>java:/jaas/MyRealm</security-domain>
</jboss-web>
beans.xml
<beans
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
bean-discovery-mode="all">
</beans>
login-config.xml for MyRealm
<application-policy name="MyRealm">
<authentication>
<login-module code="com.mycompany.security.UsernamePasswordLoginModuleImpl"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>
Resource.java
#Path("/resource")
#Stateless
public class Resource {
#POST
#Path("/execute")
#Consumes(MediaType.APPLICATION_JSON)
#Produces(MediaType.APPLICATION_JSON)
public ResponseDTO execute(RequestDTO dto) {
try {
// code
} catch (Exception exception) {
// handle
}
}
}
I found a very rough solution:
Resource.java:
#Path("/resource")
#Stateless
public class Resource {
#POST
#Path("/execute")
#Consumes(MediaType.APPLICATION_JSON)
#Produces(MediaType.APPLICATION_JSON)
public ResponseDTO execute(RequestDTO dto, #Context HttpServletRequest request) {
try {
// code
} catch (Exception exception) {
// handle
} finally {
if (request != null) {
request.getSession().invalidate();
}
}
}
}
or the same result, different implementation (without repeating the same code in every method in a resource, obviously):
SessionInvalidatorFilter.java
public class SessionInvalidatorFilter implements ContainerResponseFilter {
#Context
private HttpServletRequest request;
public void filter(ContainerRequestContext requestCtx, ContainerResponseContext responseCtx) throws IOException {
if ((request != null) && (request.getSession() != null)) {
request.getSession().invalidate();
}
}
}
web.xml
<context-param>
<param-name>resteasy.providers</param-name>
<param-value>com.mycompany.infrastructure.filter.SessionInvalidatorFilter</param-value>
</context-param>
I use JPA, JDBC and MySQL for my Spring Boot project. I have some trouble with special characters.
If I write an SQL query via JdbcTemplate, it's just fine. I can get back "á" characters.
But if it's via JPA, those characters are �-s.
The schema's default collation is utf8_hungarian_ci, and the default characterset is utf8.
My application.properties:
spring.jpa.database: MYSQL
spring.jpa.hibernate.ddl-auto: update
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url: jdbc:mysql://localhost:3306/databasename?useUnicode=yes&characterEncoding=UTF-8
spring.datasource.username: root
spring.datasource.password: password
I have two tables, user and userroles, and they are connected with #ManyToMany relations with a jointable.
User.java:
#ManyToMany(fetch = FetchType.EAGER)
#JoinTable(
name = "user_userrole",
joinColumns = #JoinColumn(name = "user_id", referencedColumnName = "id"),
inverseJoinColumns = #JoinColumn(name = "userrole_id", referencedColumnName = "id"))
private List<UserRole> userRoles;
public List<UserRole> getUserRoles() {
return userRoles;
}
UserRole.java:
#ManyToMany(mappedBy = "userRoles")
private List<User> users;
When I call this method:
currentUser.getUserRoles();
all "á" characters are replaced by �-s.
What am I missing?
EDIT:
I added a new user: árvíztűrő tükörfúrógép to the database. (I could do it without any problem, and I save user with jpa too, by the way.)
But when I tried to log in, I've got this exception:
error":"Internal Server Error","exception":"java.io.CharConversionException"
,"message":"Not an ISO 8859-1 character: ű"
pom.xml:
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.8</java.version>
</properties>
<property name="hibernate.connection.useUnicode" value="true" />
<property name="hibernate.connection.characterEncoding" value="UTF-8" />
with hibernate 4.3.1 this works:
<property name="connection.useUnicode">true</property>
<property name="connection.characterEncoding">utf-8</property>
Please add below in web xml
<filter>
<filter-name>SetCharacterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SetCharacterEncodingFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
I had written a very small rest service. When I am trying through the rest cilent, I am getting the error as "method not supported". Can anybody, please suggest me on this.
**controller class**
#Controller
#RequestMapping("/movie")
public class MovieController {
#RequestMapping(value="/{name}", method = RequestMethod.PUT, consumes="application/json")
public #ResponseBody Student getMovie(#PathVariable String name, ModelMap model, #RequestBody Student student, HttpSession session) {
Map<Integer, Student> empData = new HashMap<Integer, Student>();
empData.put(1, student);
return student;
}
}
**Request I am sending throught Rest DHC Client**
URL: http://localhost:8081/SpringMVC/movie/test
method selected: PUT
Headers: Content-Type:application/json
Body: {
"userId":"21",
"firstName":"srinu",
"lastName":"nivas"
}
I use only Jersey to do what you want.
My web.xml file is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>appName</display-name>
<filter>
<filter-name>jersey</filter-name>
<filter-class>com.sun.jersey.spi.container.servlet.ServletContainer</filter-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.appName.rest</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.JSPTemplatesBasePath</param-name>
<param-value>/Pages/</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.property.WebPageContentRegex</param-name>
<param-value>/(resources|(Pages))/.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>jersey</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
And in the rest class i return a Viewable:
My rest class:
#GET
#Path("/PathToAccessPage")
#Produces(MediaType.TEXT_HTML)
public Viewable GetMyClassPage(#Context HttpServletRequest request, #Context UriInfo ui, #Context HttpHeaders hh) {
try {
MyClass myClass = getMyClass();
return new Viewable("/page", myClass);
}
catch (Exception ex) {
return new Viewable("/error", "Error processing request: " + ex.getMessage());
}
}
Hope you help!
Finally, I got the solution. I didn't import the below two jars.
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-core-asl</artifactId>
<version>1.9.13</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.9.13</version>
</dependency>
As I am using spring MVC and as you can see in the above code, I am giving as consumes=application/json, I thought springMVC will take care of that. It's my mistake and also, I think the error which was renedered by spring, should be something specific to this. Anyway, got the solution. Thanks all for the help.
I am just trying out a sample rest service example. My rest service class is :
#Path("oauth")
public class OauthClass {
private static Map<String, OauthBean> oAuthBeanMap = new HashMap<String, OauthBean>();
static {
OauthBean oAuthBean = new OauthBean();
oAuthBean.setAccess_token(String.valueOf(Math.random()));
oAuthBean.setToken_type("bearer");
oAuthBean.setRefresh_token(String.valueOf(Math.random()));
oAuthBean.setExpires_in("44517");
oAuthBeanMap.put(oAuthBean.getToken_type(), oAuthBean);
}
#GET
#Path("/token?client_id={clntID}")
#Produces("application/json")
public OauthBean getOAuthJSON(#PathParam("clntID") String clientID) {
System.out.println(clientID + " Secret ");
System.out.println("oAuthBeanMap.get(\"bearer\") :P " + oAuthBeanMap.get("bearer"));
return oAuthBeanMap.get("bearer");
}
}
Now when i trry to invoke this url :
http://localhost:7070/RESTfulWS/rest/oauth/token?client_id=clnt001
I get a 405 error.Method not allowed
Below is my web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>RESTfulWS</display-name>
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.eviac.blog.restws</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
</web-app>
I am using jersey 1.18.
What am i doing wrong? Looking forward tyo your solutions.
Reading through your code, I think you should write #Path("/token") instead of #Path("/token?client_id={clntID}").
Besides, as you yourself noted, you should use QueryParam instead of PathParam
We have a gwt app that uses jcifs to pull the user name from our NT domain. Here is a clip of our web.xml:
<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>com.xxx.gwt.server.MyNTLMFilter</filter-class>
<init-param>
<param-name>jcifs.netbios.wins</param-name>
<param-value>192.168.109.20</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>its</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NtlmHttpFilter</filter-name>
<url-pattern>/trunkui/greet</url-pattern>
</filter-mapping>
<!-- Servlets -->
<servlet>
<servlet-name>greetServlet</servlet-name>
<servlet-class>com.xxx.gwt.server.GreetingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>greetServlet</servlet-name>
<url-pattern>/trunkui/greet</url-pattern>
</servlet-mapping>
So currently when the user goes to our site they get about 2 or 3 repeated prompts asking them to log onto the domain even though they already are (you have to be on the domain to get to our app). I would like to at least reduce the prompting to only happen once. So I was going to make a dummy servlet off of "/trunkui/dummy" and let that get called only when I ask for the name. The remote servlet has this method that we call asynchronously:
public String getUser() {
String userAgent = "";
try {
userAgent = getThreadLocalRequest().getUserPrincipal().getName();
int slashIdx = -1;
if ((slashIdx = userAgent.indexOf('\\')) >= 0)
userAgent = userAgent.substring(slashIdx + 1);
} catch (Exception npe) {
npe.printStackTrace();
}
return userAgent;
}
So I wanted to do some sort of call to the dummy servlet to do the domain prompting, but I am unsure on how to do this from the gwt remote service. Or if there is a better way to do this?
I figured it out. I built the dummy servlet and then used a RequestBuilder on the client side to do a get on that servlet. That servlet then gets the userprincipal. Here is the client side:
RequestBuilder getNameRB = new RequestBuilder(RequestBuilder.GET, "naming");
getNameRB.setCallback( new RequestCallback() {
#Override
public void onResponseReceived(Request request, Response response) {
loadUserName(response.getText());
}
#Override
public void onError(Request request, Throwable exception) {
Window.alert("Unable to authenticate user\n"+exception.getMessage());
Window.Location.replace("http://ccc");
}
});
try {
getNameRB.send();
} catch (RequestException e) {
Window.alert(e.getMessage());
}