I implemented the Security with Shiro in my web app, but with my own redirection mechanism (not using shiro.ini). All is done through RPC calls (no need to have a new page for login, better for integration).
I made a gwt page (Activity if you use recent patterns recommendations), plugged on a #!login token in url. On client side, all my RPC methods interfaces can throws a RemoteServiceException. On server side, I have a common entry point that catch all services Exceptions, especially Shiro ones. When a shiro exception is caught, I rethrow it with a RemoteServiceException + a special flag that indicate that it is a security exception (for the client side) I overloaded the AsyncCallback<> object on client side. It is the common point to all RPC responses. You can check that you have a RemoteServiceException with a Shiro flag in it, and in this case, redirect your client on the GWT login page. Hope it can help. Nicolas. 2011/10/31 Julien Muller <[email protected]> > Hello, > > I am evaluating security solutions for a GWT application. > I like the shiro approach since it seems simple and easy to plug to ldap, > but I am afraid I did not really find working examples or tutorial about > this context. > > I acknowledge you cannot use shiro classes from client side (javascript), > but do not think this should be a problem. > > My understanding about what I should do (simple version with local users > defined in shiro.ini): > - Add IniShiroFilter to my web.xml > - add shiro.ini with authc.loginUrl = login.html, users and urls. > - Add a login.html page > - I will handle rpc security afterwards passing credentials in my payload > and perform server side validation for each call. > > Up to know, I can tell my shiro.ini is taken into account, the application > can forward to login.html, but then nothing else is done. > I have seen in this tutorial: > http://www.brucephillips.name/blog/print.cfm?id=7766522C-3048-7B4D-A96E8EA958A8E540 > that a custom servlet is implemented for login. It seems to me it should > be handled automatically by shiro (or not?). > > Furthermore, shiro documentation let me believe that after login, the user > will be automatically redirected to his original request page, which is > definitely not the case during my tests. > > Any help or guidance would be appreciated. > > -- > > Best Regards, > > Julien > >
